On 10/2/2012 9:42 AM, Darod Zyree wrote:
Greetings,
I am confused about something and I could not find the information I
was looking for.
We are planning to set up our own Certificate Authority server on our
internal network.
After having read several how-to’s, and other documentation on how to
set up such a server, we are left with two questions:
1) Which daemon/service needs to be running for a CA server to deal
with incoming certificate checks from clients
If you use CRL-based revocation: NONE, in fact it is recommended to
disconnect the CAcomputer from the network. You need to copy the
CA certificates (without private keys) and the latest CRL to a regular
web server which listens on port 80 and 443 and is set up to respond to
the authority and CRL URLs embedded in all the certs.
If you implement OCSP checking, the OCSP responder (and *only* the
OCSP responder) needs to be installed as an extension/plugin/script
of a web server, which will need to accept anonymous connections on
ports 80 and 443 like any other web server.
I am unsure if there is a way to set up an OCSP responder that does not
use the CA root key, but remains compatible with most real world clients,
but if there is, you should definitely take advantage of it and keep
the root key offline.
OCSP also has negative privacy implications, as the OCSP server can see
the individual recipients checking for individual sender certificates.
And
2) Which firewall ports need to be configured for this?
The web server needs to be reachable on ports 80 and 443, the CA itself
should not be reachableby anyone but its administrator, preferably by
physical access only.
P.S.
Certificate requests should be manually vetted by a responsible,
administrator who can (in a small company CA) hand carry the approved
CSR's to the CA machine for signing and then hand carry the signed
certificates back. Large public CAs need more robust multi-person
procedures.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org