Lately I've been researching how to set up an OpenSSL Certificate of Authority [or "CA"] for my personal sites. This doesn't have to be horribly complicated, but I wanted to understand how to do it "correctly" -- and what that means doesn't seem clear. Personally I'm taking more creedance in Peter Gutmann's articles than I am in the O'Reilly OpenSSL book in this area.
The most confusing part seems to be how to deal with certificate revocations. For a personal site with a small number of users this is probably not manditory, but I'm giving it consideration anyway. There are specific spots when building keys to include URLs pointing to where CRLs [revoked certificates] will be located, and/or there are configuration sections that can be added to the OpenSSL config file for setting up OCSP to allow automated queries. OCSP seems more interesting, but the OpenSSL book I have doesn't cover how to set this up. This will explain the basics of OCSP: http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol It makes more sense to me for this check to be automatic rather than to have to import large CRL lists *manually*, since most often these simply get ignored. Programs I've found that include OCSP functionality: - Firefox has OCSP built-in, but it's not used by default. See: Edit -> Preferences Advanced icon -> Encryption tab -> Verification button Compare that to the "Revocation Lists" button. Is anybody actually importing those lists of bad SSL certs from various locations? I sure haven't. - KDE [specifically the kdepim package] now has a dependency on dirmngr, which is a daemon that handles CRLs as well as OCSP requests. Does Gnome or other general window managers handle OCSP requests as well? - An OCSP daemon isn't difficult to find -- it's built right in to OpenSSL. [See the output of 'openssl ocsp'.] The hard part is making specific SSL keys for the OCSP daemon and figuring out how to list the OCSP responder URL in SSL certs. Questions I'm currently working to answer: - Can the OCSP responder handle responding for the CA key itself? - What is required to list the OCSP URL in the Root CA key? - If an OCSP responder URL is listed, can a URL for CRLs still be listed? I.E. is it "one-or-the-other" but not both? Has anyone else looked into this stuff? -- Chris -- Chris Knadle [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Oct 3 - Security and Privacy Nov 7 - Django Python Application Framework
