Solved

Certification server

Posted on 2014-02-26
2
576 Views
Last Modified: 2014-03-15
We have linux and windows in our environment. Its kind of mix environment.

What is the best way to implement a certification server in our environment.

I was thinking if i have solution from linux side like open ssl.
Please give me suggestions.
0
Comment
Question by:ittechlab
2 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39891309
I am assuming you mean a CA.

If you have it (by which I mean you have a windows server such as Win2003 or Win2008), then the Enterprise CA from windows is probably easier - it comes bundled with windows servers, so there is no additional cost involved, and many auto-enrollment solutions assume you will be using it.

On linux, the best available CA is OpenCA - packages are available for most major distros.

If you don't need a full featured CA (but just want to issue a handful of certificates) then XCA is often simplest. It is also useful if the certificates and keys you have need converting to (say) PEM for use with linux servers.
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 39891921
this is setting up PKI per se that should consists of:
1) a separate certificate (also known as a public key) and private key for the server and each client, (of course that can include the SSL certificate) and
2) a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates. (i believe this is what you are looking at also)

In the setting up steps and use case of openvpn, "easy-rsa" is suggested to achieve the above. understand that you may not be looking at vpn but may be good to check out below for the possibilities.
https://openvpn.net/index.php/open-source/documentation/howto.html#pki

Note that on top of the PKI setup, transfer of the generated key to client and server can be manual as depicted above article, The other (preferable) means is to have the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.

Other CA can have web console to request and submit as well like the MS windows CA, there is nice (but lengthy) article on the design consideration using MS PKI.
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

It would be able to have linux client and server having the certificate req generated from openssl and submit to MS Window standalone or Enterprise CA. http://blogx.co.uk/ViewItem.asp?Entry=813
And if you already have MS SCCM, then the step to deploy to linux or UNix machine is stated  http://technet.microsoft.com/en-us/library/jj573947.aspx

Of course the MS CA is not freely available compared to openssl and the earlier candidate from the openvpn package

Finally OpenSSL is worth considering as you suggested
http://www.linux.com/community/blogs/133-general-linux/742528-pki-implementation-for-the-linux-admin

In the Windows Server world, this is quite easy using their PKI Services Manager. If you are anything like me you cringe at the thought of Windows Servers! In the Linux world there is TinyCA, but it depends on a graphical environment. I am sort of a minimalist, so a Desktop GUI on my servers is just not going to work for me. Under this dilemma I decided to use OpenSSL which has all the necessary functions built within it. However, these commands are long and difficult to remember and I hate having to look up syntax or notes every time I want to perform a task.

Here is where my bash script comes in. Using whiptail to add a decent interface while keeping everything within one script I included functions that:

    Manages multiple domains
    Creates a Root Certificate for each domain
    Unlimited subdomains
    Certificate revocation
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question