On Friday, 06/21/2019 at 04:27 GMT, "van Sleeuwen, Berry" <[email protected]> wrote: > It's not so much wanting to be a CA but we do need to move into SSL/TLS secured > services. We could use self-signed certificates but I do like the idea to have > a single root certificate that is used for all our VM, VSE and Linux > certificates. This way we only need to import the root CA once and all servers > will then be accepted.
These days, most companies already have a PKI in place. PKIs tend to come in 3 flavors: 1) Outsourced to a well-known 3rd party, such that your users and servers already have the needed root CA cert, so no need to distribute server certs to the clients. 2) Deployed internally using a signing (aka intermediate CA) certificate obtained from a well-known 3rd party. No need to distribute. 3) Deployed internally using a self-signed root CA The root CA cert must be distributed to all clients. Before you start generating your own, see if someone else is already doing it for you. :-) Alan Altmark Senior Managing z/VM and Linux Consultant IBM Systems Lab Services IBM Z Delivery Practice ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
