[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Storing TLS credentials in the directory

On 9 Apr 2017, at 14:40, Michael Ströder <michael@stroeder.com> wrote:

> Hmm, every time in a customer encryption/PKI project the customer requested that it
> should be secure *and* easy to use. This is kind of a contradiction to begin with.
> (Well, I sweared to myself not to develop another PKI system again. But every other
> implementation pretty much sucks, especially in the naming, registration, authorization
> parts...umpf! But be assured: It's *very* hard to get it really right.)

I think, without having actually done it myself, nor have I used something like this
in production, is that “The CA Solution (tm)” tries to do _EVERYTHING_ (!!) that
could possibly be done in/with a CA.

But if you boil it down to the minimum requirements, all it should be able/have to
do is:

    1) Receive a [hostname/fqdn/full name] request for a [host/user] certificate
    2) Create the public/private key for that request
    3) Sign it with the CA cert “in storage” (root or intermediate)
    4) Hand that over to the requester in as secure way as possible

At least, that is all _I_ want/need. I’m sure there’s hundreds of other things to be done,
but if we keep it simple, this is all it should have to do.

I’m going to have to read up on slapo-autoca, because I’ve never heard about that

But when I started my thread about “CA product” a few weeks ago, I think I got an
answer saying it was not maintained any more… ?

But considering Howards discussion on private keys, I’m assuming that it doesn’t
have the core basic above. ?