Greetings Earthling, I am not much of an expert on the matter of CAs but I jump in with some knowledge I have until now. Inline.
On Tue, Oct 2, 2012 at 10:42 AM, Darod Zyree <darodzy...@gmail.com> wrote: > Greetings, > > I am confused about something and I could not find the information I > was looking for. > > We are planning to set up our own Certificate Authority server on our > internal network. > After having read several how-to’s, and other documentation on how to > set up such a server, we are left with two questions: > > 1) Which daemon/service needs to be running for a CA server to deal > with incoming certificate checks from clients If you plan to go the CRL route you need a web server (go nginx for your own sake) that serves the CRL at the appointed CRL URI you've set up in your Certificates. You'd also need an automated, or not, way to generate CRLs before they expire. If you plan to disseminate certificates using LDAP you'd need a LDAP server up and running. OpenLDAP is the first choice that comes to mind. Especially with the latest improvements. Search for OpenLDAP MDB if you want to learn more. And there is OCSP [1], an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. For this you need a daemon that implements this protocol. I don't know many things about it, never have studied it. I do know that EJBCA [2] have an OCSP implementation. There may be others. You also need a set of scripts to ease your life. Scripts for generating, revoking certificates and other CA operations. Or you can go the EJBCA route for a full blown solution. Might be overkill in your case. [1]: http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol [2]: http://www.ejbca.org/installation-ocsp.html > > And > > 2) Which firewall ports need to be configured for this? LDAP works on 636 (SSL), 389. Web service on 80. OCSP uses HTTP as transport, you can choose 80 or another port number for that. Cheers and Goodwill, v > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
