Urjit Gokhale wrote:
I do use openssl (with some custom things like a website for clients to generate keys and CSRs for a browser) as a private CA and it works quite fine. I guess it's not ideal if you have lots (thousends) of certificates to manage, mainly for performance reasons. And it's kind of spartanic.Hi,I am planning to ssl enable my client server application, that I will be making available for commercial use. In this process I had planned to use openssl command line utility as CA to give out certificates (I am going to work as private CA). But just then, I came across a section in "Network Security with openSSL" (O'Reilly), that states "Since OpenSSL's command-line CA functionality was intended primarily as an example of how to use OpenSSL to build a CA, we don't recommend that you attempt to use it in a large production environment."It also talks about freely available CA packages such as openCA and pyCA.So now I am a little confused about using openssl command line utility as CA to give out certificates. What could be the reasons for using anything other than openssl as CA? Are there security issues? Are people using openssl as their private CA? are any particular problems reported regarding the use of openssl as private CA on large scale?
If you want to work with client certificates you'll probably need a practical way for your users to generate certificates, since you should not assume a typical user can generate a key pair and CSR using the openssl utility, especially if they should be able to use it in things like browsers or other client side tools.
So IMHO it is possible but there may be a bit extra work. I do not know of any insecurities and I would expect none. Also I have not tested other CA packages, so I cannot give you a direct comparison...
Hope it helps Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
