Even though we are pretty much a fully Windows shop here, I use an old Linux VM as a certificate authority (and to do a couple other things). And by "old", I mean:
vadmin@admnftp002:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic
So here's the problem. That CA is so old, it's still a SHA1 root certificate. So what I need is a newer, shinier CA that uses at least a SHA256 cert. Now, we're talking about less than a dozen certs. And so what I'm thinking is just create a brand new CA (with a slightly different name), and issue new requests from the current clients. Then the new CA can issue them new certs, and the current clients can use the new, SHA256 certs.
Sounds reasonable? And easiest way to accomplish this, rather than the full on, enterprise grade PKI infrastructure tied to AD that Microsoft recommends (and I don't really need).
So: any recommendations? Just get the latest Ubuntu LTS ISO, make a VM, and become a new CA? Use some specific GUI CA software? (trust me, the other guys here seem to think command lines are archaic and obsolete, so I want a GUI, if possible). I see recommendations for DogTag (
https://www.dogtagpki.org/wiki/PKI_Main_Page); any others?
These certs are solely for internal systems (SolarWinds monitoring, our Cisco UCP phone system, etc). And all I really need is an easy interface to handle requests and issue new certs, of proper strength.
Thoughts?
--
Just backpacking through the Uncanny Valley ....