----- Original Message ----- From: "Tarjei Huse" <[EMAIL PROTECTED]> To: "Noah L. Meyerhans" <[EMAIL PROTECTED]>; <debian-security@lists.debian.org> Sent: Sunday, August 24, 2003 1:51 PM Subject: Re: Looking for a simple SSL-CA package
> > I think I'll end up with pyca (www.pyca.org) as it seems to have most of > these features in place. The other possibilities are openca which is > IMHO to complicated for my needs and tinyca (that many on this list > suggested) that doesn't (please correct me if I'm wrong) give me the > finished scripts for importing certs in outlook, IE, Mozilla and other > programs. > > If there are other alternatives out there, please let me know. Again, I > thank you for your contributions. > Tarjei > Apologies if I am repeating someone else's points, I haven't followed the thread in depth. It sounds kind of kooky, but we have operated a CA for about 2 years, having about 400 users, using just openssl and a few hand turned scripts and a dynamic webpage. User info is maintained in MySQL, though we let openssl maintain the CA history in text files. The CA doesn't do any of the Outlook, IE, Mozilla etc importing - those programs do that, you just have to know what sort of certs to generate, and how to trigger the import processing on the client. We use a webpage and several variants of the XEnroll object for IE v 5.01-6.0 where IE generates the keypairs, and creates a CSR which gets posted to the webserver. We then sign the request and create a x-pkcs7-certificates [.p7b file] which is returned to the webserver for the user to download (they hit the Refresh button on the request page). There are some busted Office XP upgrade paths, for which we have to generate the keypair on our server in a PKCS12 format [.pfx file] - which we then make available to the user via the webpage. NS/Mozilla is easy - as per IE, we get the client to generate a CSR which gets posted to our webserver. We sign the certificate, x-x509-user-cert [.cct file] and copy it back to the webserver for the user to install. The only bugbear is that Mozilla succeeds silently, so you can't easily throw up a warning if the import failed for some reason [failure is rare]. Outlook will recognise your CA as an authority for secure pop and imap connections, if you import your self-signed CA cert in IE - just get your users to download your CA cert x-x509-ca-cert [.crt file] from a website, and click on Install Cert. Regards Jeff
