I want to thank to all the people that has commented on this. I want to analyze all that you have written before asking you more questions, especially the kerberos and PKI comments.
I will then surely get back to you with more questions :) Martín Coco wrote: > Hi, > > We're in the process of designing a PKI infrastracture for our company, > and I have a couple of design questions about it. I know this is an > OpenSSL mailing list, but it seems a right place to discuss this. If > it's not, I'll appreciate if you can hand me some links to a more proper > place. > > I've been reading the man for OpenSSL, this mailing list, and also > acquired the book "Planning for PKI". > > My main goal is to design a PKI for our server infrastructure (ldaps, > https, mail, vpn, etc.) The problem is that, for example, when reading > the mentioned book, all the examples are based on people, but not on > systems or services. So you have all these divisions by locality, > department, etc, but always based on people. I was thinking of building > a hierarchical PKI in which I had the root ca, and then a subCA for each > of the needed services. This last CA would be responsible to generate > and sign certificates for each server related to the service it > provides. So, for example, the subCA for LDAP would sign certificates > for our master LDAP server, the slave LDAP server, and so on. > > Does this make sense? If I also wanted to generate and sign certificates > for people to use in their mail, should I place them in this PKI > architecture, or create another one altogether? Should I place them in > mail service tree of this architecture? > > Also, if a person connecting to one of these servers were to > authenticate it, it should have the subCA's certificate and the root CA > certificate to validate the certification path, right? That would mean > that every person should have a certificate for each subCA or service > they want to check, and the root CA. Is this correct? > > How does all this sound to you? Whenever I try to look for examples, all > I find is based on people, or very specific examples. > > I'll appreciate any comments on this. > > Thanks, > Martín. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
