Hi Andrew, Its pretty much the typical argument of commercial software vs. open source. There are a few open source PKI initiatives underway. I haven't really followed them in the last couple of years, but this is a decent resource to read about them: http://ospkibook.sourceforge.net/ If your plan is to develop a fully functional CA from openSSL on your own, then that is a pretty serious undertaking. A main advantage of the commercial CAs is that they have people dedicated to keeping up with industry, new protocols, new standards, bug fixes, security patches, etc... These are someone else's problem. They will have worried about Hardware Security Modules, smartcards, various APIs, interoperability in general. If you have a ton of time, then developing your own CA from OpenSSL would be an interesting project. Depending on what kind of certificates you plan to issue, then you might have all kinds of regulatory concerns as well. If you have enough money to be considering commercial CA software, then you might also want to consider a commercial CA service. For about the cost of a commercial CA license, companies like Globalsign or Verisign, can set you up with service to manage a PKI and meet most requirements, and still give you complete control over the whole certificate lifecycle. I hope that helps,
Eriks Richters, CISSP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew White Sent: Thursday, August 10, 2006 2:32 PM To: openssl-users@openssl.org Subject: Custom CA vs Openssl CA Are there any major advantages to using a third party packaged CA over openssl's CA? The CA from openssl seems more than adequate for most uses. A concern I am hearing is developing an interface to openssl CA would be time consuming and might have security issues. Is this a valid concern or would taint checking and pam authentication be more difficult than I am envisioning? Thanks, Andrew ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
