[CentOS] self signing certificates

Paul Heinlein heinlein at madboa.com
Tue Aug 25 15:30:00 UTC 2009

On Mon, 24 Aug 2009, aurfalien at gmail.com wrote:

> I would go buy a cert.
> They aren't much money and you can specify the granularity you want 
> the cert to have, the more granularity, the higher the cost but they 
> are not that much anyways.

The difficulty with purchased certificates is timely revocation, 
since, as you note,

> After all, 75% of breaches occur form within.  You can take that how 
> ever you want but the days of a soft nougatine LAN are over.

An in-house Certificate Authority can revoke, say, a locally issued 
OpenVPN certificate very quickly. If HR calls you aside for a quick 
and quiet meeting to halt all network access for Jane Employee, having 
the ability to revoke her certificate(s) by the time she's ushered 
from the building is nearly essential.

The same thing is true if a user's laptop is stolen. An employee 
called me early one Sunday morning to let me know that someone had 
broken into his house and stolen, among other things, his laptop. He 
had things encrypted, but it was still very reassuring to everyone 
that I was able to revoke his VPN cert within a few minutes.

Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/

More information about the CentOS mailing list