On Jan 30, 2008 8:13 PM, Jim Dandy <[EMAIL PROTECTED]> wrote: > Is there a problem with buying certificates instead of running > a certificate server?
"Problem"? No, VeriSign or whoever will gladly take your money if you insist on giving it to them. But setting up a self-hosted CA is pretty easy, so I'd say it's worth it. > I'm guessing it would NOT be a good idea to have the VPN server double as > the certificate server (although that's what I'd like to do). Well, like everything in security, it's a risk management decision. Putting the CA on the VPN gateway means if someone compromises the VPN gateway they can make new certificates that claim to be you. On the other hand, if you're only using certs for VPN access, maybe that doesn't matter -- maybe compromising one would mean the other is compromised, too. (It would depend on the details of the compromise -- it might be that a certain exposure lets someone steal the private key but not tamper with the VPN itself). The other extreme would be to put the CA on a network-disconnected machine and only exchange CSRs (certificate signing requests) and certs via sneakernet. If you're only doing a small number of certs, that might even be practical. Recycle an old computer, and there are free CA software kits if you don't have the Windows license. Somewhere in-between would be putting the CA on another computer in your organization. That includes the Active Directory-based "Enterprise CA" that Tom Shinder mentioned. (And he didn't even mention ISA Server. Way to go Tom! ;-) ) If it's a small, low-profile organization without anything of particular interest, it's likely that they have much bigger problems to worry about than the CA getting compromised. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
