On Thu, Jul 26, 2012 at 4:45 AM, Marco Molteni (mmolteni) < mmolt...@cisco.com> wrote:
> Hi, > > there are two open source CA systems I am aware of, although I haven't > tried them out. > > I think they can be a good starting point instead of doing everything from > scratch :-) > > http://pki.fedoraproject.org/wiki/PKI_Main_Page > http://openca.org/projects.shtml > > marco > > PS: Adding a Subject line helps... > > Thanks. That was a case of a click finger that was too fast. I hadn't realized I' sent it without a subject until I started getting replies. I'll take a look at these sites and see how far they get me. Thanks Ted > > On Jul 25, 2012, at 19:49 , Ted Byers wrote: > > > Hi All > > > > I just subscribed to this list. > > > > I have some familiarity with openssl having used it to generate self > > signed keys for testing secured web applications (on Apache 2.2), > > prior to deployment, at which time my colleagues would buy a server > > certificate from one of the usual CAs, such as GoDaddy. > > > > Now, I am looking to do something a little different. > > > > First, I set up several Linux virtual machines using Oracle's > > VirtualBox (nice product BTW)., and installed Suse on some and Ubuntu > > on others. On all, I made sure that openssl was installed and up to > > date (at least as far as the repositories for Suse and Ubuntu are > > concerned). I then went exploring, and in /etc/ssl/ I found a > > configuration file for openssl. I tried reading it, but the comments > > relied heavily on jargon that most of you take for granted. But since > > I am just beginning to study this, it might as well have been in > > Swahili for allt he good it did me; and the available documentation is > > a bit too terse for me to be able to use it to fill in the gaps. > > > > I am hoping that one of you kind souls would direct me to a few good > > web resources on which all your jargon is explained/defined, ideally > > in standard English. > > > > I am also hoping that in describing what I want to do, one or more of > > you would point me to good documentation on how to get it done. > > > > Note, Ialthough I am a programmer (using C++, Perl and Javascript - > > mostly Peerl and C++), I am content to use openssl as installed on the > > Linux distros, and don't really want to recompile it unless absolutely > > necessary. > > > > Here is the objective (mostly dealing with client certificates). As I > > understand it, one can have a CA that handles issuing certificates and > > a RA, or registration authority, that is responsible for verifying the > > identity of the person or corporation that is receiving a certificate; > > and I understand that most commercial 'CA's combine the two functions > > into a single corporate entity. But, I want to set up a CA for a > > company, and then set up an RA for each department (so that the > > department managers can worry about verifying the identities of their > > own staff, perhaps in collaboration with their human resources > > department, and selected outsiders (such as preferred customers, > > contractors, suppliers, &c.). I want to set up a simple, secure > > website that users (intended recipients) access using ccredentials I > > provide, including a single user password. After login, the user > > would be presented with a series of challenges and the responses would > > be checked against what the user had presented to the RA that passed > > the credials I created to the user (each RA would access the DB > > containing user data through a separate website, in order to enter the > > required data for each person to whom he wants a client certificate > > issued). Once the identity of the user is verified, the web site > > would take the user through the process of creating the client > > certificate and key. I am unclear as to how this can happen on the > > client side and the resulting certificate still be signed on the servr > > by my CA. Also, it is unclear to me how I can configure these > > certificates so that they can a) authenticate the user to a secure > > server, b) encrypt documents passed between the client and server, and > > c) sign encrypted documents. Also, I understand that the different > > browsers support different methods for creating client certificates, > > so I'd appreciate a pointer to Javascript code that automagically uses > > the right procedure for whatever browser the client is using. I do > > not want to be dictating to the user where or when he gets his client > > certificate or what browser he should use. If there is a repository > > of javascript code that can run once the certificate has been created > > and installed inthe browser that handles installing it also in > > whatever email client the user is using, as well as making a proper > > backup (e.g. to a USB memory stick, so that if anything happens to his > > computer, he can restore it all once his computer issues are resolved. > > In breif, I want to make things as easy as possible for the end > > users. > > > > Now, I envision a website for each department, to which only those > > users who have certificates authorized by the RA in that department > > can access, and another that provides access as long as he, or raher > > his browser, presents a certificate authorized by any of the RAs iin > > the company (i.e. a company wide site along with departmental sites). > > Having worked with Apache 2.2 for quite a while, and on quite a number > > of secure websites, I am reasonably familiar with configuring Apache > > to use server certificates, but I am a little unclear on how to tell > > it to require certificates from a given pair of CA and RA, or a given > > CA in conjunction with any of a given set of RAs. > > > > I am sure there must be lots of companies that have done something > > like this. What I need is a pointer to documentation on how to do it, > > along with any accounts of the experiences of those who have done it > > and what gotchas to watch out for. > > > > I have been googling all this for a while, now, but it seems I must > > have the wrong search query as the signal to noise ratio is > > vanishingly small (i.e. I get plenty of noise, but little useful > > info). > > > > Any help you can provide would be greatly appreciated. > > > > Thanks > > > > Ted > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > -- > Marco Molteni > Technical Leader - Cisco Media Services Interface > > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com CTO Merchant Services Corp. 17665 Leslie st., unit 30 Newmarket , Ontario L3Y 3E3