I understand the nature of ossec-authd is to provision pub/priv key pairs as signed by an authority. The question is more around the nature of the cert used in signing.
On Friday, May 30, 2014 11:49:41 AM UTC-7, dan (ddpbsd) wrote: > > On Fri, May 30, 2014 at 2:13 PM, rgamurphy <[email protected] > <javascript:>> wrote: > > Hello, > > > > I'm at the beginning of designing an OSSEC infrastructure for my > > organization and from what I've been unable to find on my own I must > have a > > bit of an unusual requirement for our setup. We have an internal CA > with a > > hierarchal setup (a top level signing authority with a few layers of > > subordinates as a way to thwart cross environment data contamination). > This > > mostly works well for us and I can usually find supporting documentation > > regarding how different subsystems work with/as subordinate CAs. The > idea > > is to have ossec-authd take care of federating new agents as a > subordinate > > certificate authority. Ideally, the cert would also be used to verify > the > > clients at the initial key assignment as well (but that seems to be a > > feature still in pull request > > https://github.com/ossec/ossec-hids/issues/166). > > > > I'm actually a bit surprised that I can't find this in OSSEC > documentation > > but I assume it would be supported since the cryptography backend is > > OpenSSL. Has anyone tried and/or have some guidance around this? > > > > I probably don't have any clue what you're actually asking, but > OSSEC's authd cannot give out anything beyond an OSSEC key. > > > Thanks! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
