Re: OT: Toosl to manage PKI under OpenBSD

2016-06-25 Thread C. L. Martinez 
On Fri 24.Jun'16 at 18:59:09 -0400, Predrag Punosevac wrote:
> > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> > > Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
> > >
> > > > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> > > > Searching about this topic, I think the best option is to use
> > > > customized openssl/libressl scripts, but it colud be very hard to
> > keep
> > > > for certifcate requests, revocations, etc.
> > > >
> > > > ? Any suggestion about what can be better option?
> > >
> > > Have a look at security/xca, else define "better option".
> > >
> > > Cheers
> >
> > For "better option", I am speaking about what could be the best tool or
> > procedure to \
> > manage a PKI under OpenBSD.
> >
> 
> easy-rsa
> 
> You just chose to ignore the answer.
> 
> Predrag
> 

 Where I am telling that I'm ignoring the answer? Please, before saying some 
things, wait.


-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

2016-06-25 Thread C. L. Martinez 
On Sat 25.Jun'16 at 13:56:38 +, Stuart Henderson wrote:
> On 2016-06-24, C. L. Martinez  wrote:
> > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> >> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
> >> 
> >> > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> >> > Searching about this topic, I think the best option is to use
> >> > customized openssl/libressl scripts, but it colud be very hard to keep
> >> > for certifcate requests, revocations, etc.
> >> > 
> >> >  Any suggestion about what can be better option?
> >> 
> >> Have a look at security/xca, else define "better option".
> >> 
> >> Cheers
> >
> > For "better option", I am speaking about what could be the best tool or 
> > procedure to manage a PKI under OpenBSD.
> 
> It really depends on what your reasons are for doing this.
> 
> If you're trying to learn about the nitty gritty of generating certs,
> CRLs, revocations, etc, then using the command line tools directly
> aren't a bad idea.
> 
> If you're trying to script things but at a higher level than the
> libressl/openssl command line tool, you might want to look at something
> like https://github.com/cloudflare/cfssl.
> 
> If you're just trying to manually generate certs for lab machines
> and are happier with something visual xca is pretty good.
> 
> Or you can look at the tools which are really made for simplifying vpn
> setup like "ikectl ca" (though the way it's designed, it really only
> makes sense if you generate the private key on a central machine, which
> is a bit non-standard though makes life easier in some cases). Or yes,
> as was already pointed out easy-rsa (though personally I find that more
> complex than easy).
> 
> If you're more interested in getting certs than investigating how to
> run pki, something like letsencrypt might work for you.
> 

Many thanks Stuart. I have configured a PKI using openssl tools, and it is 
working ok ... Now, I would like to install an oscp instance to check when a 
certificate is revoked ... But I have some doubts:

 - When a certificate is revoked, can be removed .csr and .crt files (the 
request and signed cert by CA) without problems?
 - I am trying to setup a startup script for oscp using openssl, can be 
accomplished this in OpenBSD's way?

Thanks.

-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

2016-06-25 Thread Stuart Henderson 
On 2016-06-24, C. L. Martinez  wrote:
> On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
>> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
>> 
>> > I would like to deploy/setup a PKI under OpenBSD for my home lab.
>> > Searching about this topic, I think the best option is to use
>> > customized openssl/libressl scripts, but it colud be very hard to keep
>> > for certifcate requests, revocations, etc.
>> > 
>> >  Any suggestion about what can be better option?
>> 
>> Have a look at security/xca, else define "better option".
>> 
>> Cheers
>
> For "better option", I am speaking about what could be the best tool or 
> procedure to manage a PKI under OpenBSD.

It really depends on what your reasons are for doing this.

If you're trying to learn about the nitty gritty of generating certs,
CRLs, revocations, etc, then using the command line tools directly
aren't a bad idea.

If you're trying to script things but at a higher level than the
libressl/openssl command line tool, you might want to look at something
like https://github.com/cloudflare/cfssl.

If you're just trying to manually generate certs for lab machines
and are happier with something visual xca is pretty good.

Or you can look at the tools which are really made for simplifying vpn
setup like "ikectl ca" (though the way it's designed, it really only
makes sense if you generate the private key on a central machine, which
is a bit non-standard though makes life easier in some cases). Or yes,
as was already pointed out easy-rsa (though personally I find that more
complex than easy).

If you're more interested in getting certs than investigating how to
run pki, something like letsencrypt might work for you.

Re: OT: Toosl to manage PKI under OpenBSD

2016-06-24 Thread Predrag Punosevac 
> On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> > Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
> >
> > > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> > > Searching about this topic, I think the best option is to use
> > > customized openssl/libressl scripts, but it colud be very hard to
> keep
> > > for certifcate requests, revocations, etc.
> > >
> > > Â Any suggestion about what can be better option?
> >
> > Have a look at security/xca, else define "better option".
> >
> > Cheers
>
> For "better option", I am speaking about what could be the best tool or
> procedure to \
> manage a PKI under OpenBSD.
>

easy-rsa

You just chose to ignore the answer.

Predrag

>
> --
> Greetings,
> C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

2016-06-24 Thread C. L. Martinez 
On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote:
> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez:
> 
> > I would like to deploy/setup a PKI under OpenBSD for my home lab.
> > Searching about this topic, I think the best option is to use
> > customized openssl/libressl scripts, but it colud be very hard to keep
> > for certifcate requests, revocations, etc.
> > 
> >  Any suggestion about what can be better option?
> 
> Have a look at security/xca, else define "better option".
> 
> Cheers

For "better option", I am speaking about what could be the best tool or 
procedure to manage a PKI under OpenBSD.


-- 
Greetings,
C. L. Martinez

Re: OT: Toosl to manage PKI under OpenBSD

2016-06-24 Thread Kapetanakis Giannis 

On 24/06/16 14:45, C. L. Martinez wrote:

Hi all,

  I would like to deploy/setup a PKI under OpenBSD for my home lab. Searching 
about this topic, I think the best option is to use customized openssl/libressl 
scripts, but it colud be very hard to keep for certifcate requests, 
revocations, etc.

  Any suggestion about what can be better option?

Thanks



The simplest option would be easy-rsa

It is in ports.

G