LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-16-2004, 09:32 AM   #1
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Rep: Reputation: 16
OpenSSL CA for Intranet Infrastructure


I need to establish my own root CA for my company Intranet using OpenSSL - right now so I can use SSL on an email system (Postfix TLS and Stunnel for POP3S) and probably later for IIS/Apache web servers. Seems pretty easy, just run CA.pl -newca and then start making certificates for the servers, and install the root certificate on all client programs (Outlook, Thunderbird).

My question is where do I keep/backup the files and what's best to use for the "Common Name" of the CA? I'm guessing if I make the CA on my workstation, I should be able to backup the demoCA folder and any keys/certificates I've made, or maybe just keep them on a USB key drive. Can I just move these files from my workstation to somewhere else, for example I decide to use an old laptop as a dedicated CA "server" as long as it has openssl installed? And right now I used my workstation's full DNS name as the CN - am I probably better off using something like "My Company CA" instead?

Thanks,
slacky
 
Old 11-16-2004, 09:43 AM   #2
overlord73
Member
 
Registered: Apr 2004
Location: ..where no life dwells..
Posts: 522

Rep: Reputation: 30
hi slacky,

the common name of your request must be identical to the hostname of your server!
 
Old 11-16-2004, 09:48 AM   #3
slacky
Member
 
Registered: Feb 2004
Location: USA
Distribution: Debian
Posts: 174

Original Poster
Rep: Reputation: 16
Quote:
Originally posted by overlord73
hi slacky,

the common name of your request must be identical to the hostname of your server!
Right, that's what I though at first - which makes sense for the mail servers or the web servers themselves. But what if I create the root CA on a different box, and use it to sign the mail servers certificate? If you look at the some of the root certificates that come with Firefox they don't seem to use hostnames as the CN.
 
Old 11-24-2004, 03:26 AM   #4
overlord73
Member
 
Registered: Apr 2004
Location: ..where no life dwells..
Posts: 522

Rep: Reputation: 30
havenīt tried it, but i think the server certificate is independent from the root CA.

-make CA on machine1
-make cert on machine1
-sign cert on machine1
-copy server.crt and server.key to machine2 in directories

when a client opens the page (on machine2) there comes a warning,because the CA could not be verified or similar... (the private CA is not public!). the client must ignore the message or install the cert. i think thats it!!
or?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What makes an intranet an intranet? pembo13 Linux - Networking 3 06-21-2004 08:20 PM
Q about wireless hardware/infrastructure. tcaptain Linux - Hardware 3 04-07-2003 10:36 AM
Designing a Linux Network Infrastructure!? therizwaan Linux - Networking 5 09-12-2002 05:51 PM
Linux Infrastructure ahmiq Linux - General 5 06-24-2002 10:22 PM
network infrastructure kodiakmook Linux - Networking 4 11-13-2001 07:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration