Indeed we do have a company CA in place. But they don't (or rather will not) support our server domain name. So any request to our company CA to process a certificate request is denied. That's why I would like to enroll my own root CA and sign the certificates myself. Indeed the public root certificate then must be made available to all clients.
Met vriendelijke groet/With kind regards/Mit freundlichen Grüßen, Berry van Sleeuwen Flight Forum 3000 5657 EW Eindhoven -----Original Message----- From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of Alan Altmark Sent: Friday, June 21, 2019 8:57 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Building a Certificate Authority On Friday, 06/21/2019 at 04:27 GMT, "van Sleeuwen, Berry" <berry.vansleeu...@atos.net> wrote: > It's not so much wanting to be a CA but we do need to move into > SSL/TLS secured > services. We could use self-signed certificates but I do like the idea to have > a single root certificate that is used for all our VM, VSE and Linux > certificates. This way we only need to import the root CA once and all servers > will then be accepted. These days, most companies already have a PKI in place. PKIs tend to come in 3 flavors: 1) Outsourced to a well-known 3rd party, such that your users and servers already have the needed root CA cert, so no need to distribute server certs to the clients. 2) Deployed internally using a signing (aka intermediate CA) certificate obtained from a well-known 3rd party. No need to distribute. 3) Deployed internally using a self-signed root CA The root CA cert must be distributed to all clients. Before you start generating your own, see if someone else is already doing it for you. :-) Alan Altmark Senior Managing z/VM and Linux Consultant IBM Systems Lab Services IBM Z Delivery Practice ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww2.marist.edu%2Fhtbin%2Fwlvindex%3FLINUX-390&data=02%7C01%7CBerry.vanSleeuwen%40atos.net%7Cf9a307b7ba0c42641d5b08d6f67ae087%7C33440fc6b7c7412cbb730e70b0198d5a%7C0%7C0%7C636967404946060964&sdata=gUNP3%2B703h2K9z3NwrXP0qLTT1s2EgnVAEcqsS8U9x8%3D&reserved=0 This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, Atos’ liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. On all offers and agreements under which Atos Nederland B.V. supplies goods and/or services of whatever nature, the Terms of Delivery from Atos Nederland B.V. exclusively apply. The Terms of Delivery shall be promptly submitted to you on your request. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
