> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Brian Becker > Sent: Monday, August 24, 2009 9:44 > To: CentOS mailing list > Subject: Re: [CentOS] self signing certificates > > On Mon, Aug 24, 2009 at 9:32 AM, Jerry > Geis<geisj at pagestation.com> wrote: > > > For "internal" applications what do people/places do? We follow the design at VeriSign. We have an offline master RootCA cert this has signed another offline PublicCA The PublicCA is a machine which takes certificate signing requests (you can make these using openssl, or microsoft stuff, etc) and signs those out. For development we have a non-public online DevCA that we use to sign test code, etc. This code never is intended to leave our dev lab. If the code is leaving the lab it will have to be singed by our PackageSingingCA(online), which is signed by our PublicCA. We have out RootCA pushed to all of our servers and workstations. It is also available via http://ca.pdinc.us. The DevCA is manually installed by each user on each machine that wants it. It also expires every 110 days, and we make a new one every 90 days. Hope this helps. > > It would be nice to be seamless and have the "your not > trusted" window > > pop-up. > > Yet this is not a public web site either. Just internal use. > > The server might be on the internet but people from the > internet are > > not using it. > > > > I presume there is no way to by-pass the certificate > signing process - > > even for internal apps. > > Is there? Nope. > > > > Thanks, > > > > Jerry > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > If you are in a windows domain you can distribute the public > certificate of your "signing authority" using active > directory. This will prevent IE from showing the untrusted > warning. Otherwise you can install the public certificate > into the users web browser and any certs you sign will show > as trusted. > A good source of how to do this on OS/Application X: http://wiki.cacert.org/wiki/BrowserClients#ImportintoMicrosoftActiveDirectoryGro upPolicyobject > If you can give an idea of what platform/browser I can > provide more specifics. > > Brian > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.