Michael Leone on 12 Jun 2019 08:57:38 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Let's talk about certificate authorities

Even though we are pretty much a fully Windows shop here, I use an old Linux VM as a certificate authority (and to do a couple other things). And by "old", I mean:

vadmin@admnftp002:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 9.10
Release:        9.10
Codename:       karmic

So here's the problem. That CA is so old, it's still a SHA1 root certificate. So what I need is a newer, shinier CA that uses at least a SHA256 cert. Now, we're talking about less than a dozen certs. And so what I'm thinking is just create a brand new CA (with a slightly different name), and issue new requests from the current clients. Then the new CA can issue them new certs, and the current clients can use the new, SHA256 certs.

Sounds reasonable? And easiest way to accomplish this, rather than the full on, enterprise grade PKI infrastructure tied to AD that Microsoft recommends (and I don't really need).

So: any recommendations? Just get the latest Ubuntu LTS ISO, make a VM, and become a new CA? Use some specific GUI CA software? (trust me, the other guys here seem to think command lines are archaic and obsolete, so I want a GUI, if possible). I see recommendations for DogTag (https://www.dogtagpki.org/wiki/PKI_Main_Page); any others?

These certs are solely for internal systems (SolarWinds monitoring, our Cisco UCP phone system, etc). And all I really need is an easy interface to handle requests and issue new certs, of proper strength.



Michael J. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Just backpacking through the Uncanny Valley ....
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug