What about the pki package that comes with Centos? pki-server and pki-ca? On 04/16/2017 11:54 AM, Alice Wonder wrote: > Oh I don't know, their github works. > > However it seems that it isn't able to deal with more than one ocsp > signing key. > > On 04/16/2017 08:40 AM, Robert Moskowitz wrote: >> >> >> On 04/14/2017 10:41 PM, Alice Wonder wrote: >>> https://www.openca.org/ might fit my needs. >> >> their Centos repo does not exist, it seems? >> >>> >>> On 04/14/2017 06:29 PM, Alice Wonder wrote: >>>> Hello list, >>>> >>>> I'm contemplating running my own CA to implement the new proposed ISP >>>> for validation of S/MIME certificates via DANE. >>>> >>>> I already use self-signed for my MX servers (with 3 1 1 dane >>>> records on >>>> TCP port 25) but I don't want to use self-signed for S/MIME for user >>>> specific x.509 certs because >>>> >>>> A) That's potentially a lot of DNS records >>>> B) That requires a hash of the e-mail addresses in DNS >>>> >>>> Instead, I will be using a wildcard in DNS with an intermediary that >>>> signs the user x.509 certificates. >>>> >>>> Using an intermediary to sign their certificates though means I can't >>>> just revoke their certificates by removing the DNS certificate, I'll >>>> need to provide an OCSP server for when one of their private keys gets >>>> compromised. >>>> >>>> I found >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html >>>> >>>> >>>> but it looks like that is intended for enterprise, more complex than I >>>> need. >>>> >>>> Anyone know of a good simple script for providing OCSP ?? >>>> >>>> -=- >>>> >>>> Not relevant to question but just important for me to note, I will >>>> *not* >>>> be asking people to install my root certificate in their e-mail >>>> clients. >>>> I think it is a bad practice to get users in the habit of installing >>>> root certificates. >>>> >>>> I think the PKI system has way way way to many root certificates as it >>>> is. I want a world where DANE validates most certificates, and only a >>>> few root certificates are needed for things like banks where EV >>>> certificates are a must. >>>> >>>> DANE as a way to validate S/MIME I think will be a godsend to e-mail >>>> security, I hope clients implement it. >>>> _______________________________________________ >>>> CentOS mailing list >>>> CentOS at centos.org >>>> https://lists.centos.org/mailman/listinfo/centos >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >>> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >