Michael Leone on 12 Jun 2019 12:29:10 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Let's talk about certificate authorities

On Wed, Jun 12, 2019 at 3:18 PM JP Vossen <jp@jpsdomain.org> wrote:
> I agree with Keith but...what about Let's Encrypt?  Possibly more
> trouble than it's worth, but worth at least some research and thought.
> Here is some of my cheat sheet for the next time I have to do that same
> thing.  I'm not aware of any GUI stuff, but that's also not what I look
> for.  I'd be interested to hear your thoughts and results.  Preso?

Well, since posting initially, this is what I think I will do:

Root CA on a Ubuntu 18.04 LTS VM (RSA 2048/4096 key with SHA256)
An issuing sub-CA on a Win 2016 VM domain member

That way, I get the benefits of an AD-integrated CA (with
auto-enrollment, and possibly web-enrollment) but still have a
"offline" (i.e., not domain joined) root CA.

Plus, if my guys do need to issue a cert without me. they'll do it on
Windows (if not on auto). No need to install anything more on the
Linux VM except the CA part.
And they'll never have to touch it ...

And it (mostly) follows MS recommended practices for offline CA with
online issuing CA ...

> First, the best docs I've found on the general topic are:
> https://jamielinux.com/docs/openssl-certificate-authority/
> Also long but good:
> https://www.feistyduck.com/library/openssl%2dcookbook/online/.

I will examine those.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug