Keith C. Perry on 12 Jun 2019 09:30:05 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Let's talk about certificate authorities

"So: any recommendations? Just get the latest Ubuntu LTS ISO, make a VM, and become a new CA?"

That is what I did in a previous life and would do it again if I needed.  No reason to over-complicate things for a process that works.  All you really need to do is this major upgrade to bring everything current.

Also, even if you wanted to explore alternatives, I would do it this way to get the work done and then play with new methods in your lab.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

From: "Michael Leone" <turgon@mike-leone.com>
To: "PLUG" <plug@lists.phillylinux.org>
Sent: Wednesday, June 12, 2019 11:57:15 AM
Subject: [PLUG] Let's talk about certificate authorities

Even though we are pretty much a fully Windows shop here, I use an old Linux VM as a certificate authority (and to do a couple other things). And by "old", I mean:
vadmin@admnftp002:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 9.10
Release:        9.10
Codename:       karmic

So here's the problem. That CA is so old, it's still a SHA1 root certificate. So what I need is a newer, shinier CA that uses at least a SHA256 cert. Now, we're talking about less than a dozen certs. And so what I'm thinking is just create a brand new CA (with a slightly different name), and issue new requests from the current clients. Then the new CA can issue them new certs, and the current clients can use the new, SHA256 certs.

Sounds reasonable? And easiest way to accomplish this, rather than the full on, enterprise grade PKI infrastructure tied to AD that Microsoft recommends (and I don't really need).

So: any recommendations? Just get the latest Ubuntu LTS ISO, make a VM, and become a new CA? Use some specific GUI CA software? (trust me, the other guys here seem to think command lines are archaic and obsolete, so I want a GUI, if possible). I see recommendations for DogTag (https://www.dogtagpki.org/wiki/PKI_Main_Page); any others?

These certs are solely for internal systems (SolarWinds monitoring, our Cisco UCP phone system, etc). And all I really need is an easy interface to handle requests and issue new certs, of proper strength.

Thoughts?

-- 

Michael J. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Just backpacking through the Uncanny Valley ....

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug