Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Certification server

Posted on 2014-02-26
2
581 Views
Last Modified: 2014-03-15
We have linux and windows in our environment. Its kind of mix environment.

What is the best way to implement a certification server in our environment.

I was thinking if i have solution from linux side like open ssl.
Please give me suggestions.
0
Comment
Question by:ittechlab
2 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 39891309
I am assuming you mean a CA.

If you have it (by which I mean you have a windows server such as Win2003 or Win2008), then the Enterprise CA from windows is probably easier - it comes bundled with windows servers, so there is no additional cost involved, and many auto-enrollment solutions assume you will be using it.

On linux, the best available CA is OpenCA - packages are available for most major distros.

If you don't need a full featured CA (but just want to issue a handful of certificates) then XCA is often simplest. It is also useful if the certificates and keys you have need converting to (say) PEM for use with linux servers.
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 39891921
this is setting up PKI per se that should consists of:
1) a separate certificate (also known as a public key) and private key for the server and each client, (of course that can include the SSL certificate) and
2) a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates. (i believe this is what you are looking at also)

In the setting up steps and use case of openvpn, "easy-rsa" is suggested to achieve the above. understand that you may not be looking at vpn but may be good to check out below for the possibilities.
https://openvpn.net/index.php/open-source/documentation/howto.html#pki

Note that on top of the PKI setup, transfer of the generated key to client and server can be manual as depicted above article, The other (preferable) means is to have the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.

Other CA can have web console to request and submit as well like the MS windows CA, there is nice (but lengthy) article on the design consideration using MS PKI.
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

It would be able to have linux client and server having the certificate req generated from openssl and submit to MS Window standalone or Enterprise CA. http://blogx.co.uk/ViewItem.asp?Entry=813
And if you already have MS SCCM, then the step to deploy to linux or UNix machine is stated  http://technet.microsoft.com/en-us/library/jj573947.aspx

Of course the MS CA is not freely available compared to openssl and the earlier candidate from the openvpn package

Finally OpenSSL is worth considering as you suggested
http://www.linux.com/community/blogs/133-general-linux/742528-pki-implementation-for-the-linux-admin

In the Windows Server world, this is quite easy using their PKI Services Manager. If you are anything like me you cringe at the thought of Windows Servers! In the Linux world there is TinyCA, but it depends on a graphical environment. I am sort of a minimalist, so a Desktop GUI on my servers is just not going to work for me. Under this dilemma I decided to use OpenSSL which has all the necessary functions built within it. However, these commands are long and difficult to remember and I hate having to look up syntax or notes every time I want to perform a task.

Here is where my bash script comes in. Using whiptail to add a decent interface while keeping everything within one script I included functions that:

    Manages multiple domains
    Creates a Root Certificate for each domain
    Unlimited subdomains
    Certificate revocation
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question