Solved

Certification server

Posted on 2014-02-26
2
558 Views
Last Modified: 2014-03-15
We have linux and windows in our environment. Its kind of mix environment.

What is the best way to implement a certification server in our environment.

I was thinking if i have solution from linux side like open ssl.
Please give me suggestions.
0
Comment
Question by:ittechlab
2 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39891309
I am assuming you mean a CA.

If you have it (by which I mean you have a windows server such as Win2003 or Win2008), then the Enterprise CA from windows is probably easier - it comes bundled with windows servers, so there is no additional cost involved, and many auto-enrollment solutions assume you will be using it.

On linux, the best available CA is OpenCA - packages are available for most major distros.

If you don't need a full featured CA (but just want to issue a handful of certificates) then XCA is often simplest. It is also useful if the certificates and keys you have need converting to (say) PEM for use with linux servers.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 39891921
this is setting up PKI per se that should consists of:
1) a separate certificate (also known as a public key) and private key for the server and each client, (of course that can include the SSL certificate) and
2) a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates. (i believe this is what you are looking at also)

In the setting up steps and use case of openvpn, "easy-rsa" is suggested to achieve the above. understand that you may not be looking at vpn but may be good to check out below for the possibilities.
https://openvpn.net/index.php/open-source/documentation/howto.html#pki

Note that on top of the PKI setup, transfer of the generated key to client and server can be manual as depicted above article, The other (preferable) means is to have the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.

Other CA can have web console to request and submit as well like the MS windows CA, there is nice (but lengthy) article on the design consideration using MS PKI.
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

It would be able to have linux client and server having the certificate req generated from openssl and submit to MS Window standalone or Enterprise CA. http://blogx.co.uk/ViewItem.asp?Entry=813
And if you already have MS SCCM, then the step to deploy to linux or UNix machine is stated  http://technet.microsoft.com/en-us/library/jj573947.aspx

Of course the MS CA is not freely available compared to openssl and the earlier candidate from the openvpn package

Finally OpenSSL is worth considering as you suggested
http://www.linux.com/community/blogs/133-general-linux/742528-pki-implementation-for-the-linux-admin

In the Windows Server world, this is quite easy using their PKI Services Manager. If you are anything like me you cringe at the thought of Windows Servers! In the Linux world there is TinyCA, but it depends on a graphical environment. I am sort of a minimalist, so a Desktop GUI on my servers is just not going to work for me. Under this dilemma I decided to use OpenSSL which has all the necessary functions built within it. However, these commands are long and difficult to remember and I hate having to look up syntax or notes every time I want to perform a task.

Here is where my bash script comes in. Using whiptail to add a decent interface while keeping everything within one script I included functions that:

    Manages multiple domains
    Creates a Root Certificate for each domain
    Unlimited subdomains
    Certificate revocation
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now