[unisog] Questions about Local Cert. Authorities

Reg Quinton reggers at ist.uwaterloo.ca
Thu Oct 9 13:52:57 GMT 2003


> Hi.  Due to our need to provide certificates for a number of
> network services in the near future, we're looking at setting up a local
> certificate authority (CA) for our campus.  I'm looking for good
> references and best practice type information.

We have a local CA since 1988 with a self signed certificate using openssl
technologies to sign host certs within our DNS domain -- we do not sign
user certs. See:

http://ist.uwaterloo.ca/security/ssl-pki/index.html
http://ist.uwaterloo.ca/security/IST-CA/
http://ist.uwaterloo.ca/security/IST-CA/certs/
http://ist.uwaterloo.ca/security/lib-proxy/howto/ca/

The problem, of course, is getting browsers to trust your CA. Configuring
Apache/etc. to use your certs is no different than using a commercial one.

1. for machines we manage it's pretty trivial to get the certificate store
loaded with your cert.

2. you run into perversities like IE on the MAC which are basically snafu
and can't import certs.

3. we encourage our https sites to include a warning banner along the lines
of:

Authentication services are protected by the Secure Socket Layer (SSL)
using a certificate signed by the IST Certificate Authority. If you have
not done so already, you should load the certificate for that authority -- 
click here and follow the instructions.
4. but https sites often don't do it and users are really confused by the
steps the browsers take them through (which you have no control over). More
often than not people just click the "accept that host certificate" button.

5. we do not have a PKI. I manage host certs by simple cron jobs that
generate mail like "Hey, this certificate expires within a month -- do
something about it!"

6. we continually get people asking us to sign a host certificate for them.
We don't sign certs for anything not within our local domain.

7. we try to avoid certificate requests generated by end users (they never
follow the naming convention). The CA generates the certificate and key and
returns both to the end site. IIS has always been a pain on that one.

-----------------

This year we've got approval from Thawte to sign certificates from web
pages managed by them at a modest cost. You're restricted to a name space
for which you're the authority -- basically we manage uwaterloo.ca DNS so
we can manage a similar X509 name space.

I've yet to do anything with that as I'm up to my ears in more urgent
problems.

Thawte certificates would avoid the confusion users have.

Like others I'm not aware of authorities that will give you a CA
certificate. And I'm sure that if you had one you'll find that most
applications really can't handle a chain of authority.

I hope this helps.

I am, Reg Quinton <reggers at ist.uwaterloo.ca>
      Senior Technologist, Security
      Information Systems and Technology
      University of Waterloo, 200 University Ave W
      Waterloo, Ontario N2L 3G1 Canada
      +1 519 888-4567x6070
      http://ist.uwaterloo.ca/~reggers




More information about the unisog mailing list