What about the pki package that comes with Centos?
pki-server and pki-ca?
On 04/16/2017 11:54 AM, Alice Wonder wrote:
Oh I don't know, their github works.
However it seems that it isn't able to deal with more than one ocsp signing key.
On 04/16/2017 08:40 AM, Robert Moskowitz wrote:
On 04/14/2017 10:41 PM, Alice Wonder wrote:
https://www.openca.org/ might fit my needs.
their Centos repo does not exist, it seems?
On 04/14/2017 06:29 PM, Alice Wonder wrote:
Hello list,
I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE.
I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because
A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS
Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates.
Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised.
I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1...
but it looks like that is intended for enterprise, more complex than I need.
Anyone know of a good simple script for providing OCSP ??
-=-
Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates.
I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must.
DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos