From: Jerry Geis geisj@pagestation.com To: CentOS ML centos@centos.org Sent: Monday, 24 August, 2009 14:32:00 Subject: [CentOS] self signing certificates
hi all,
I have gone through the process of self signing certificates. Aside from the pop-ups about not trusted etc... everything appears to work.
For "internal" applications what do people/places do? It would be nice to be seamless and have the "your not trusted" window pop-up.
As someone else previously detailed, you really need to have a root signing CA that only signs certs for your issuing CAs and then use the issuing CAs to sign end use certificates of whatever types you deem appropriate. It is considered required practice that root CA and issuing CAs must be physically isolated from all network connections and that floppy or sneaker net must be used to handle incoming CSR and outgoing CERTS. If you are simply using certs for encryption and not for authentication then this practice probably can be safely dispensed with. If you ARE using certs for authentication then this provision is absolutely required.
The arrangement of self-signed root CA <--CSR--- Issuing CA <--CSR--- end-user is now critical for Firefox users. Releases in the 3.x series will no longer trust any self-signed CA certificate. So, to avoid the warning box in Firefox you must have the end use certificates signed by an intermediate CA whose own certificate may however be signed by a self-signed root.
Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the internet are not using it.
Well, the available software has no way of figuring that out for itself, so it makes no difference. And, to be precise, "people from the internet should not be using it", which is rather a different thing.
I presume there is no way to by-pass the certificate signing process - even for internal apps. Is there?
Not unless you can live with the warning boxes.
I would go buy a cert.
They aren't much money and you can specify the granularity you want the cert to have, the more granularity, the higher the cost but they are not that much anyways.
Wether your site in internal or not is irrelevant as you should approach your LAN as a hostile place.
After all, 75% of breaches occur form within. You can take that how ever you want but the days of a soft nougatine LAN are over.
On Aug 24, 2009, at 4:59 PM, James B. Byrne wrote:
From: Jerry Geis geisj@pagestation.com To: CentOS ML centos@centos.org Sent: Monday, 24 August, 2009 14:32:00 Subject: [CentOS] self signing certificates
hi all,
I have gone through the process of self signing certificates. Aside from the pop-ups about not trusted etc... everything appears to work.
For "internal" applications what do people/places do? It would be nice to be seamless and have the "your not trusted" window pop-up.
As someone else previously detailed, you really need to have a root signing CA that only signs certs for your issuing CAs and then use the issuing CAs to sign end use certificates of whatever types you deem appropriate. It is considered required practice that root CA and issuing CAs must be physically isolated from all network connections and that floppy or sneaker net must be used to handle incoming CSR and outgoing CERTS. If you are simply using certs for encryption and not for authentication then this practice probably can be safely dispensed with. If you ARE using certs for authentication then this provision is absolutely required.
The arrangement of self-signed root CA <--CSR--- Issuing CA <--CSR--- end-user is now critical for Firefox users. Releases in the 3.x series will no longer trust any self-signed CA certificate. So, to avoid the warning box in Firefox you must have the end use certificates signed by an intermediate CA whose own certificate may however be signed by a self-signed root.
Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the internet are not using it.
Well, the available software has no way of figuring that out for itself, so it makes no difference. And, to be precise, "people from the internet should not be using it", which is rather a different thing.
I presume there is no way to by-pass the certificate signing process - even for internal apps. Is there?
Not unless you can live with the warning boxes.
-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 24 Aug 2009, aurfalien@gmail.com wrote:
I would go buy a cert.
They aren't much money and you can specify the granularity you want the cert to have, the more granularity, the higher the cost but they are not that much anyways.
The difficulty with purchased certificates is timely revocation, since, as you note,
After all, 75% of breaches occur form within. You can take that how ever you want but the days of a soft nougatine LAN are over.
An in-house Certificate Authority can revoke, say, a locally issued OpenVPN certificate very quickly. If HR calls you aside for a quick and quiet meeting to halt all network access for Jane Employee, having the ability to revoke her certificate(s) by the time she's ushered from the building is nearly essential.
The same thing is true if a user's laptop is stolen. An employee called me early one Sunday morning to let me know that someone had broken into his house and stolen, among other things, his laptop. He had things encrypted, but it was still very reassuring to everyone that I was able to revoke his VPN cert within a few minutes.
-
aurfalien@gmail.com -
James B. Byrne -
Paul Heinlein