Re: Certificate Authority: deamon and or iptables?

2012-10-02 Thread Valentin Bud 
Greetings Earthling,

I am not much of an expert on the matter of CAs but I jump in with
some knowledge I have until now.
Inline.

On Tue, Oct 2, 2012 at 10:42 AM, Darod Zyree darodzy...@gmail.com wrote:
 Greetings,

 I am confused about something and I could not find the information I
 was looking for.

 We are planning to set up our own Certificate Authority server on our
 internal network.
 After having read several how-to’s, and other documentation on how to
 set up such a server, we are left with two questions:

 1) Which daemon/service needs to be running for a CA server to deal
 with incoming certificate checks from clients

If you plan to go the CRL route you need a web server (go nginx for
your own sake) that serves the CRL at the appointed CRL URI you've set
up in your Certificates.
You'd also need an automated, or not, way to generate CRLs before they expire.

If you plan to disseminate certificates using LDAP you'd need a LDAP
server up and running. OpenLDAP is the first choice that comes to
mind. Especially with the latest improvements. Search for OpenLDAP MDB
if you want to learn more.

And there is OCSP [1], an Internet protocol used for obtaining the
revocation status of an X.509 digital certificate. For this you need a
daemon that implements this protocol. I don't know many things about
it, never have studied it. I do know that EJBCA [2] have an OCSP
implementation. There may be others.

You also need a set of scripts to ease your life. Scripts for
generating, revoking certificates and other CA operations. Or you can
go the EJBCA route for a full blown solution. Might be overkill in
your case.

[1]: http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
[2]: http://www.ejbca.org/installation-ocsp.html


 And

 2) Which firewall ports need to be configured for this?

LDAP works on 636 (SSL), 389.
Web service on 80.
OCSP uses HTTP as transport, you can choose 80 or another port number for that.

Cheers and Goodwill,
v

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Certificate Authority: deamon and or iptables?

2012-10-02 Thread Jakob Bohm 

On 10/2/2012 9:42 AM, Darod Zyree wrote:

Greetings,

I am confused about something and I could not find the information I
was looking for.

We are planning to set up our own Certificate Authority server on our
internal network.
After having read several how-to’s, and other documentation on how to
set up such a server, we are left with two questions:

1) Which daemon/service needs to be running for a CA server to deal
with incoming certificate checks from clients


If you use CRL-based revocation: NONE, in fact it is recommended to
disconnect the CAcomputer from the network.  You need to copy the
CA certificates (without private keys) and the latest CRL to a regular
web server which listens on port 80 and 443 and is set up to respond to
the authority and CRL URLs embedded in all the certs.

If you implement OCSP checking, the OCSP responder (and *only* the
OCSP responder) needs to be installed as an extension/plugin/script
of a web server, which will need to accept anonymous connections on
ports 80 and 443 like any other web server.

I am unsure if there is a way to set up an OCSP responder that does not
use the CA root key, but remains compatible with most real world clients,
but if there is, you should definitely take advantage of it and keep
the root key offline.

OCSP also has negative privacy implications, as the OCSP server can see
the individual recipients checking for individual sender certificates.


And

2) Which firewall ports need to be configured for this?

The web server needs to be reachable on ports 80 and 443, the CA itself
should not be reachableby anyone but its administrator, preferably by
physical access only.


P.S.

Certificate requests should be manually vetted by a responsible,
administrator who can (in a small company CA) hand carry the approved
CSR's to the CA machine for signing and then hand carry the signed
certificates back.  Large public CAs need more robust multi-person
procedures.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org