Solved

Certification server

Posted on 2014-02-26
2
601 Views
Last Modified: 2014-03-15
We have linux and windows in our environment. Its kind of mix environment.

What is the best way to implement a certification server in our environment.

I was thinking if i have solution from linux side like open ssl.
Please give me suggestions.
0
Comment
Question by:ittechlab
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39891309
I am assuming you mean a CA.

If you have it (by which I mean you have a windows server such as Win2003 or Win2008), then the Enterprise CA from windows is probably easier - it comes bundled with windows servers, so there is no additional cost involved, and many auto-enrollment solutions assume you will be using it.

On linux, the best available CA is OpenCA - packages are available for most major distros.

If you don't need a full featured CA (but just want to issue a handful of certificates) then XCA is often simplest. It is also useful if the certificates and keys you have need converting to (say) PEM for use with linux servers.
0
 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 39891921
this is setting up PKI per se that should consists of:
1) a separate certificate (also known as a public key) and private key for the server and each client, (of course that can include the SSL certificate) and
2) a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates. (i believe this is what you are looking at also)

In the setting up steps and use case of openvpn, "easy-rsa" is suggested to achieve the above. understand that you may not be looking at vpn but may be good to check out below for the possibilities.
https://openvpn.net/index.php/open-source/documentation/howto.html#pki

Note that on top of the PKI setup, transfer of the generated key to client and server can be manual as depicted above article, The other (preferable) means is to have the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.

Other CA can have web console to request and submit as well like the MS windows CA, there is nice (but lengthy) article on the design consideration using MS PKI.
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

It would be able to have linux client and server having the certificate req generated from openssl and submit to MS Window standalone or Enterprise CA. http://blogx.co.uk/ViewItem.asp?Entry=813
And if you already have MS SCCM, then the step to deploy to linux or UNix machine is stated  http://technet.microsoft.com/en-us/library/jj573947.aspx

Of course the MS CA is not freely available compared to openssl and the earlier candidate from the openvpn package

Finally OpenSSL is worth considering as you suggested
http://www.linux.com/community/blogs/133-general-linux/742528-pki-implementation-for-the-linux-admin

In the Windows Server world, this is quite easy using their PKI Services Manager. If you are anything like me you cringe at the thought of Windows Servers! In the Linux world there is TinyCA, but it depends on a graphical environment. I am sort of a minimalist, so a Desktop GUI on my servers is just not going to work for me. Under this dilemma I decided to use OpenSSL which has all the necessary functions built within it. However, these commands are long and difficult to remember and I hate having to look up syntax or notes every time I want to perform a task.

Here is where my bash script comes in. Using whiptail to add a decent interface while keeping everything within one script I included functions that:

    Manages multiple domains
    Creates a Root Certificate for each domain
    Unlimited subdomains
    Certificate revocation
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question