requirement: certificate authority package: openssl installation: apt-get install openssl
Openssl has all the functionality you need to create and operate your own Certificate Authority. Openssl can generate a self-signed certificate for the CA itself. Openssl can generate and sign server certificates - eg for your web, imap, pop servers Openssl can generate and sign PFX and P7B certificates for email / browser client certificates Openssl can sign certificate requests created by MSIE 5.01+ and NS 4.75+ Openssl can revoke client certificates Openssl will keep your CRL up-to-date etc... I operate our CA using openssl and in-house scripting, for secure web and mail services with extensive use of client certificates in MSIE, Netscape, Outlook, Outlook Express. (Though Outlook does not seem to support client certs yet [anyone disagree?]) I manage about ~500 active users and ~20 servers. If you are looking to manage 10,000s of certificates you will probably have to develop your own scripts to manage the CA, as the textbase must fit entirely in memory. With about 1000 certs, the textbase is only about 150K 8-) If you understand how a CA works, then its easy peasy. If not, you will need to understand how a CA works it before you dive in. The documentation is poor, and last I looked, there were not many examples - it seems to still have a whiff of the arcane. I've often thought someone should create some MINI-HOWTOs covering the full cycle from CA setup and operation through to client CSR, signing and installation etc. It took me a lot of trial and effort to get it all hanging sweetly, esp for example getting MSIE to create a CSR and then install the signed cert under the various NT4, XPsp1 etc. I am sure that there is probably a 'Better Way'. I would be happy to contribute, but we need a recognised / trusted person to act as focus / coordinator. A second phase might be to refine the scripts to make full CA operation a breeze, maybe even in conjunction with openssl.org? [openssl config seems to have a lot of detris from early days left in it] HIH, Jeff ----- Original Message ----- From: "rico" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 04, 2003 8:43 AM Subject: certificate server Hello Do you know if exist a package that implements a certificate server (PKI) for debian, and where I can find it? Thank you very much! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
