[unisog] Questions about Local Cert. Authorities

Russell Fulton r.fulton at auckland.ac.nz
Wed Oct 8 19:43:12 GMT 2003


On Wed, 2003-10-08 at 12:42, Seth Hollyman wrote:
> Hi.  Due to our need to provide certificates for a number of
> network services in the near future, we're looking at setting up a local
> certificate authority (CA) for our campus.  I'm looking for good
> references and best practice type information.

We recently investigated this to.
> 
> For example, for those of you who have a local CA, is it self-signed or
> a subordinate of someone like thawte/verisign/etc? 

So far as I can tell you can no longer get signing certificates from
Verisign.  Thawte (who we deal with) officially say that they no longer
issue them and refer you to an email address at verislime.  I have sent
at least 4 emails to that address over a month with no response.  I have
also searched their web pages and found no mention of the availability
of signing certificates. 

The reason is obvious, why would you sell something with removes your
customers need to ever buy anything else from you.  

Some of our techs found a MS support page that suggested that it was
easy to set up your own CA and get MS to load your certificates into IE.
The catch is (as I found out by reading lots of stuff and following at
least 3 links deep from that page) is that you need to join some 'web of
trust organisation' following another link from their page you find out
that to join you need to be 'audited' and this costs between $70,00 and
$200,000 depending on the size and complexity of the organisation.

>  What kind of
> guidelines have been established for verifying client signing requests?
> What software are you using to manage your CA?

This really depends on what you want to protect with the certificates. 
Like all security decisions it a trade off between cost and safety, but
you know that already.  

BTW we decided that setting up a CA for signing end user certificates
was not worthwhile and that end user certificates were far more trouble
than they are worth.  We were heavily influenced in this discussion by
input from Peter Guttman who is a recognised authority in this area.

We did decide to go ahead with a pilot project involving an IPSEC VPN
and will probably look at issuing some SSL certs for 'internal' systems
where the vast bulk of the users will be using universty supplied
browsers (that will have our Certificate loaded).

I am interested systems for loading certs into browsers so we can direct
people to these links when they encounter our certificate for the first
time.

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list