/var/ssl-ca

The reason why a certificate environment is beneficial is that you can control access quite securely and administration, once it is set up, is not really heavy. In the end if the process is working fine, a new user when he starts at the company, will get his machine, username and password and a certificate. With that certificate he or she will be able to access services from outside the companies network , for example. If you trust another CA you can see this by verifying the certificate. A quick overview would be this: Go to (http://www.isc2.org) and then check your browsers right bottom corner, you will see a little lock like in Figure 2 (or you should see somewhere on your browser) indicating that the traffic is secured with an entity that your browser trusts.

Figure 2:

Lock1

If you double click on that little lock, a screen will come up showing you information about the certificate and who issued it, as shown in Figure 3. In this case Thawte issued it. Thawte is one of few comercial certificate authorities out there. These are trusted and built in with most browsers. They are the ones that that the public internet will check against if you have a certificate on a public website. These certificates cost however. Not THAT much anymore but still. Site certificates, meaning certificates that are issued by Thawte but allow you to issue certificates on your own that are then trusted by Thawte and therefor “the internet” is a totally different ballgame however. Prices are very high for those AND you have to thoroughly proof that your company is to be trusted.

Figure 3:

Trust Lock

Another thing to consider is, that if your company has a partnership with another company and you share a vpn connection and/or network resources. If you share your public ?root certificate? with them, they can deploy it to their systems ( as we will show how to later on) and access securely and fully trusted your network resources that they have access to. They no longer will get the nasy messages shown in Figure 3:

Firefox popup

I hope this gave you a brief introduction on what a certificate environment is. If you have any question or comments please feel free to leave them here or mail them to me at flosse@2blocksaway.com

I found pretty good posts about SSL CA here and here but the second one is already on the scripting and technical side where the first one is actually quite elaborate and has a lot of other details.

Click here if you want to see the full index and brief of the OpenSSL for eveything “project”

//Flosse

No Tags
Digg!

Popularity: 4% [?]

Pages: 1 2