[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Is CA issued certificate using OpenSSL as good as GoDaddy

To: openldap-technical@openldap.org
Subject: Re: Is CA issued certificate using OpenSSL as good as GoDaddy
From: Dieter Klünter <dieter@dkluenter.de>
Date: Thu, 12 Mar 2015 23:46:49 +0100
In-reply-to: <BAY178-W48C0101C890168E4A71C01FD060@phx.gbl>
Organization: AVCI
References: <BAY178-W48C0101C890168E4A71C01FD060@phx.gbl>

Am Thu, 12 Mar 2015 19:04:26 +0000
schrieb jeevan kc <jeev_biz@hotmail.com>:

> I followed the  below OpenLDAP guide to create CA issued certificate
> using OpenSSL and was able to enable SSL in the ldap server and
> applications can  connect via ldaps:// port 636. Now I have some
> questions from the management where this certificate is as safe as
> the commercial certificates out there. Can someone clarify this? I
> would appreciate it. 
[...]

It seems, the management has only  restricted knowledge. Ask your
management what is considered a safe commercial certificate.
To my understanding, a safe Certification Authority (CA) is safe, as
long as the key is stored in an iron safe and not available to the
world, while the certificate (CA) has to be available to the world.
A X.509 (host or user) certificate, created according ITU-T X.509 and
signed with your CA, is secure, if it meets todays agreed security
measurements i.e.

- use a 2048 bit RSA or a 256 bit ECDSA private key
- secure the host and user private keys 
- use elliptic curve cryptography for transport security

you may want to read 
https://www.feistyduck.com/books/openssl-cookbook/

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- Is CA issued certificate using OpenSSL as good as GoDaddy
  - From: jeevan kc <jeev_biz@hotmail.com>

Prev by Date: Re: Is CA issued certificate using OpenSSL as good as GoDaddy
Next by Date: openldap MMR "read_config: no serverID / URL match found"
Index(es):
- Chronological
- Thread