Re: [openssl-users] Is there a "Golden" CA makefile?
On 30/04/2017 13:52, Jochen Bern wrote: On 04/29/2017 09:55 PM, John Lewis got digested: I am looking for a CA makefile to use with a openvpn tutorial I am writing https://github.com/Oflameo/openvpn_ws. Is there one officially endorsed by the openssl project? Since you're specifically mentioning Open*VPN*, let me mention that EasyRSA is a spin-off of that project. Not makefiles based, and working with sub-CAs certainly isn't easy (though *possible* with version 3), but if you want to see how the OpenVPN people think "their" CAs *should* be run, that's what I'ld suggest to look at. In a more general sense, the policies and technical limitations of CAs vary too much for their operators to even agree on what color gold has, I guess ... (Not-quite-random example: Out of the box, OpenSSL dislikes CAs issuing same-DN certs with overlapping validity periods. OpenVPN, again out of the box, bases the mechanism of peer-specific configs on the CN. So if you want to renew the cert of some device you're managing remotely *through* the very VPN, you may(*) have an interest to *defeat* the OpenSSL behavior, so as to issue the new cert before the old one expires and saws off the branch you're adminning from. (*) Of course, there *are* other techniques to work around the problem, but.) Not as much "defeat", as setting the relevant option by adding the following command during CA (and SubCA) setup: echo "unique_subject = no" > ${CADIR}/db/index.attr Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there a "Golden" CA makefile?
On 04/29/2017 09:55 PM, John Lewis got digested: > I am looking for a CA makefile to use with a openvpn tutorial I am > writing https://github.com/Oflameo/openvpn_ws. Is there one officially > endorsed by the openssl project? Since you're specifically mentioning Open*VPN*, let me mention that EasyRSA is a spin-off of that project. Not makefiles based, and working with sub-CAs certainly isn't easy (though *possible* with version 3), but if you want to see how the OpenVPN people think "their" CAs *should* be run, that's what I'ld suggest to look at. In a more general sense, the policies and technical limitations of CAs vary too much for their operators to even agree on what color gold has, I guess ... (Not-quite-random example: Out of the box, OpenSSL dislikes CAs issuing same-DN certs with overlapping validity periods. OpenVPN, again out of the box, bases the mechanism of peer-specific configs on the CN. So if you want to renew the cert of some device you're managing remotely *through* the very VPN, you may(*) have an interest to *defeat* the OpenSSL behavior, so as to issue the new cert before the old one expires and saws off the branch you're adminning from. (*) Of course, there *are* other techniques to work around the problem, but.) Regards, -- Jochen Bern Systemingenieur Fon:+49 6151 9067-231 Fax:+49 6151 9067-290 E-Mail: jochen.b...@binect.de www.binect.de www.facebook.de/binect Binect ist ausgezeichnet: Sieger INNOVATIONSPREIS-IT 2017 | Das Büro: Top 100 Büroprodukte 2017 Binect GmbH Robert-Koch-Straße 9, 64331 Weiterstadt, DE Geschäftsführung: Christian Ladner, Dr. Frank Wermeyer, Nils Manegold Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 94685 Umsatzsteuer-ID: DE 221 302 264 MAX 21-Unternehmensgruppe ✁ Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren, sowie die unbefugte Weitergabe dieser Mail oder von Teilen dieser Mail ist nicht gestattet. Jede von der Binect GmbH versendete Mail ist sorgfältig erstellt worden, dennoch schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu einer irgendwie gearteten Verpflichtung zu Lasten der Binect GmbH ausgelegt werden. Wir haben alle verkehrsüblichen Maßnahmen unternommen, um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu minimieren, dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf alle Anhänge an dieser Nachricht durchzuführen. Wir schließen, außer für den Fall von Vorsatz oder grober Fahrlässigkeit, die Haftung für jeglichen Verlust oder Schäden durch virenbefallene Software oder E-Mail aus. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly prohibited. All Binect GmbH emails are created thoroughly, nevertheless we do not accept any legal obligation for the information and wording contained herein. Binect GmbH has taken precautionary measures to reduce the risk of possible distribution of virus infected software or emails. However, we advise you to check attachments to this email for viruses. Except for cases of intent or gross negligence, we cannot accept any legal obligation for loss or damage by virus infected software. smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there a "Golden" CA makefile?
I fought easypki for a week trying to figure out how to actually use a Sub CA and couldn't find one. I'm not going to teach anyone not to use a Sub CA because that would be malpractice in my opinion. On Sat, 2017-04-29 at 23:53 +0100, Alan Buxey wrote: > https://github.com/google/easypki , > http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a > simple similar system when using OpenVPN years ago. it was (IMHO) very > good but the powers that be decided that OpenVPN wasn't the way to go > and so money was spent on a (inflexible and non-modifiable) closed > source proprietary VPN solution instead :/ > > On 29 April 2017 at 21:01, John Lewiswrote: > > You misunderstand. > > > > I don't want a list of vetted root CAs. I just want a make based wrapper > > over the OpenSSl commands to make it easier to run a CA. There are a few > > of them, but if there was a one that is typically recommended instead, I > > would use that one. > > > > On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote: > >> The short answer is "no". > >> > >> > >> The long answer is, OpenSSL is not in the business of vetting trust > >> roots. Its business is ensuring that TLS-secured communications > >> happen correctly when it is used. If you want an 'endorsed' set of > >> roots, you can find such from other projects (that have no relation to > >> OpenSSL, and for which OpenSSL can take no responsibility). > >> > >> > >> Since I'm not a member of the OpenSSL project, I can tell you that > >> there is a set of root certificates, vetted by Mozilla, available as > >> part of Mozilla's NSS (Network Security Services) project. OpenSSL > >> cannot take any responsibility for that set of roots or any > >> behavior/misbehavior of any of the CAs represented in that set. I had > >> also seen a script several years ago to convert Mozilla's format to > >> OpenSSL format, but I have not needed to look into it and have thus > >> lost the URL to that script since then. > >> > >> > >> -Kyle H > >> > >> > >> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis > >> wrote: > >> I am looking for a CA makefile to use with a openvpn tutorial > >> I am > >> writing https://github.com/Oflameo/openvpn_ws. Is there one > >> officially > >> endorsed by the openssl project? > >> > >> -- > >> openssl-users mailing list > >> To unsubscribe: > >> https://mta.openssl.org/mailman/listinfo/openssl-users > >> > >> > >> -- > >> openssl-users mailing list > >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > -- > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there a "Golden" CA makefile?
https://github.com/google/easypki , http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a simple similar system when using OpenVPN years ago. it was (IMHO) very good but the powers that be decided that OpenVPN wasn't the way to go and so money was spent on a (inflexible and non-modifiable) closed source proprietary VPN solution instead :/ On 29 April 2017 at 21:01, John Lewiswrote: > You misunderstand. > > I don't want a list of vetted root CAs. I just want a make based wrapper > over the OpenSSl commands to make it easier to run a CA. There are a few > of them, but if there was a one that is typically recommended instead, I > would use that one. > > On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote: >> The short answer is "no". >> >> >> The long answer is, OpenSSL is not in the business of vetting trust >> roots. Its business is ensuring that TLS-secured communications >> happen correctly when it is used. If you want an 'endorsed' set of >> roots, you can find such from other projects (that have no relation to >> OpenSSL, and for which OpenSSL can take no responsibility). >> >> >> Since I'm not a member of the OpenSSL project, I can tell you that >> there is a set of root certificates, vetted by Mozilla, available as >> part of Mozilla's NSS (Network Security Services) project. OpenSSL >> cannot take any responsibility for that set of roots or any >> behavior/misbehavior of any of the CAs represented in that set. I had >> also seen a script several years ago to convert Mozilla's format to >> OpenSSL format, but I have not needed to look into it and have thus >> lost the URL to that script since then. >> >> >> -Kyle H >> >> >> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis >> wrote: >> I am looking for a CA makefile to use with a openvpn tutorial >> I am >> writing https://github.com/Oflameo/openvpn_ws. Is there one >> officially >> endorsed by the openssl project? >> >> -- >> openssl-users mailing list >> To unsubscribe: >> https://mta.openssl.org/mailman/listinfo/openssl-users >> >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there a "Golden" CA makefile?
I can point you to https://github.com/richsalz/pki-webpage But it is *not official* and may not work for what you want. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there a "Golden" CA makefile?
You misunderstand. I don't want a list of vetted root CAs. I just want a make based wrapper over the OpenSSl commands to make it easier to run a CA. There are a few of them, but if there was a one that is typically recommended instead, I would use that one. On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote: > The short answer is "no". > > > The long answer is, OpenSSL is not in the business of vetting trust > roots. Its business is ensuring that TLS-secured communications > happen correctly when it is used. If you want an 'endorsed' set of > roots, you can find such from other projects (that have no relation to > OpenSSL, and for which OpenSSL can take no responsibility). > > > Since I'm not a member of the OpenSSL project, I can tell you that > there is a set of root certificates, vetted by Mozilla, available as > part of Mozilla's NSS (Network Security Services) project. OpenSSL > cannot take any responsibility for that set of roots or any > behavior/misbehavior of any of the CAs represented in that set. I had > also seen a script several years ago to convert Mozilla's format to > OpenSSL format, but I have not needed to look into it and have thus > lost the URL to that script since then. > > > -Kyle H > > > On Sat, Apr 29, 2017 at 10:24 AM, John Lewis> wrote: > I am looking for a CA makefile to use with a openvpn tutorial > I am > writing https://github.com/Oflameo/openvpn_ws. Is there one > officially > endorsed by the openssl project? > > -- > openssl-users mailing list > To unsubscribe: > https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there a "Golden" CA makefile?
The short answer is "no". The long answer is, OpenSSL is not in the business of vetting trust roots. Its business is ensuring that TLS-secured communications happen correctly when it is used. If you want an 'endorsed' set of roots, you can find such from other projects (that have no relation to OpenSSL, and for which OpenSSL can take no responsibility). Since I'm not a member of the OpenSSL project, I can tell you that there is a set of root certificates, vetted by Mozilla, available as part of Mozilla's NSS (Network Security Services) project. OpenSSL cannot take any responsibility for that set of roots or any behavior/misbehavior of any of the CAs represented in that set. I had also seen a script several years ago to convert Mozilla's format to OpenSSL format, but I have not needed to look into it and have thus lost the URL to that script since then. -Kyle H On Sat, Apr 29, 2017 at 10:24 AM, John Lewiswrote: > I am looking for a CA makefile to use with a openvpn tutorial I am > writing https://github.com/Oflameo/openvpn_ws. Is there one officially > endorsed by the openssl project? > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there a "Golden" CA makefile?
> I am looking for a CA makefile to use with a openvpn tutorial I am writing > https://github.com/Oflameo/openvpn_ws. Is there one officially endorsed > by the openssl project? If there were, it would be in the source distribution. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Is there a "Golden" CA makefile?
I am looking for a CA makefile to use with a openvpn tutorial I am writing https://github.com/Oflameo/openvpn_ws. Is there one officially endorsed by the openssl project? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users