Re: OT: Toosl to manage PKI under OpenBSD
On Fri 24.Jun'16 at 18:59:09 -0400, Predrag Punosevac wrote: > > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > > > Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: > > > > > > > I would like to deploy/setup a PKI under OpenBSD for my home lab. > > > > Searching about this topic, I think the best option is to use > > > > customized openssl/libressl scripts, but it colud be very hard to > > keep > > > > for certifcate requests, revocations, etc. > > > > > > > > ? Any suggestion about what can be better option? > > > > > > Have a look at security/xca, else define "better option". > > > > > > Cheers > > > > For "better option", I am speaking about what could be the best tool or > > procedure to \ > > manage a PKI under OpenBSD. > > > > easy-rsa > > You just chose to ignore the answer. > > Predrag > Where I am telling that I'm ignoring the answer? Please, before saying some things, wait. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On Sat 25.Jun'16 at 13:56:38 +, Stuart Henderson wrote: > On 2016-06-24, C. L. Martinezwrote: > > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > >> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: > >> > >> > I would like to deploy/setup a PKI under OpenBSD for my home lab. > >> > Searching about this topic, I think the best option is to use > >> > customized openssl/libressl scripts, but it colud be very hard to keep > >> > for certifcate requests, revocations, etc. > >> > > >> > Any suggestion about what can be better option? > >> > >> Have a look at security/xca, else define "better option". > >> > >> Cheers > > > > For "better option", I am speaking about what could be the best tool or > > procedure to manage a PKI under OpenBSD. > > It really depends on what your reasons are for doing this. > > If you're trying to learn about the nitty gritty of generating certs, > CRLs, revocations, etc, then using the command line tools directly > aren't a bad idea. > > If you're trying to script things but at a higher level than the > libressl/openssl command line tool, you might want to look at something > like https://github.com/cloudflare/cfssl. > > If you're just trying to manually generate certs for lab machines > and are happier with something visual xca is pretty good. > > Or you can look at the tools which are really made for simplifying vpn > setup like "ikectl ca" (though the way it's designed, it really only > makes sense if you generate the private key on a central machine, which > is a bit non-standard though makes life easier in some cases). Or yes, > as was already pointed out easy-rsa (though personally I find that more > complex than easy). > > If you're more interested in getting certs than investigating how to > run pki, something like letsencrypt might work for you. > Many thanks Stuart. I have configured a PKI using openssl tools, and it is working ok ... Now, I would like to install an oscp instance to check when a certificate is revoked ... But I have some doubts: - When a certificate is revoked, can be removed .csr and .crt files (the request and signed cert by CA) without problems? - I am trying to setup a startup script for oscp using openssl, can be accomplished this in OpenBSD's way? Thanks. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On 2016-06-24, C. L. Martinezwrote: > On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: >> Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: >> >> > I would like to deploy/setup a PKI under OpenBSD for my home lab. >> > Searching about this topic, I think the best option is to use >> > customized openssl/libressl scripts, but it colud be very hard to keep >> > for certifcate requests, revocations, etc. >> > >> > Any suggestion about what can be better option? >> >> Have a look at security/xca, else define "better option". >> >> Cheers > > For "better option", I am speaking about what could be the best tool or > procedure to manage a PKI under OpenBSD. It really depends on what your reasons are for doing this. If you're trying to learn about the nitty gritty of generating certs, CRLs, revocations, etc, then using the command line tools directly aren't a bad idea. If you're trying to script things but at a higher level than the libressl/openssl command line tool, you might want to look at something like https://github.com/cloudflare/cfssl. If you're just trying to manually generate certs for lab machines and are happier with something visual xca is pretty good. Or you can look at the tools which are really made for simplifying vpn setup like "ikectl ca" (though the way it's designed, it really only makes sense if you generate the private key on a central machine, which is a bit non-standard though makes life easier in some cases). Or yes, as was already pointed out easy-rsa (though personally I find that more complex than easy). If you're more interested in getting certs than investigating how to run pki, something like letsencrypt might work for you.
Re: OT: Toosl to manage PKI under OpenBSD
> On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > > Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: > > > > > I would like to deploy/setup a PKI under OpenBSD for my home lab. > > > Searching about this topic, I think the best option is to use > > > customized openssl/libressl scripts, but it colud be very hard to > keep > > > for certifcate requests, revocations, etc. > > > > > > Â Any suggestion about what can be better option? > > > > Have a look at security/xca, else define "better option". > > > > Cheers > > For "better option", I am speaking about what could be the best tool or > procedure to \ > manage a PKI under OpenBSD. > easy-rsa You just chose to ignore the answer. Predrag > > -- > Greetings, > C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On Fri 24.Jun'16 at 12:46:48 +, Dahlberg, David wrote: > Am Freitag, den 24.06.2016, 11:45 + schrieb C. L. Martinez: > > > I would like to deploy/setup a PKI under OpenBSD for my home lab. > > Searching about this topic, I think the best option is to use > > customized openssl/libressl scripts, but it colud be very hard to keep > > for certifcate requests, revocations, etc. > > > > Any suggestion about what can be better option? > > Have a look at security/xca, else define "better option". > > Cheers For "better option", I am speaking about what could be the best tool or procedure to manage a PKI under OpenBSD. -- Greetings, C. L. Martinez
Re: OT: Toosl to manage PKI under OpenBSD
On 24/06/16 14:45, C. L. Martinez wrote: Hi all, I would like to deploy/setup a PKI under OpenBSD for my home lab. Searching about this topic, I think the best option is to use customized openssl/libressl scripts, but it colud be very hard to keep for certifcate requests, revocations, etc. Any suggestion about what can be better option? Thanks The simplest option would be easy-rsa It is in ports. G