Educause Security Discussion mailing list archives
Re: SSL/SSH certifiactes
From: Sam Hooker <samuel.hooker () UVM EDU>
Date: Thu, 13 May 2010 13:02:10 -0400
On 20100513 12:22 , Matthew Gracie wrote:
For things that are only accessed by ITS staff (such as the infrastructure components you listed), we generate certs with an internal CA and set up staff machines to trust them. No need to pay for an external certificate for such a small audience, at least in my opinion.
While our university internal CA hasn't seen wide use yet, I do this for my private stuff (hosted for friends and family); it's easy enough to have a small audience import the CA cert, and wider (campus-wide, perhaps?) acceptance can be worked into your central imaging/deployment regimen. Just make sure you can import your CA cert into your vulnerability testing tools, too. ;-) If the notion of managing a CA with raw openssl intimidates you, download the OpenVPN source[1] and fish out the "easy-rsa" directory: there are scripts in there that make it pretty straightforward. Feel free to email me off-list with questions, if you'd like. Cheers, -sth [1]http://openvpn.net/index.php/open-source/downloads.html -- Sam Hooker | samuel.hooker () uvm edu Systems Architecture and Administration Enterprise Technology Services The University of Vermont
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- SSL/SSH certifiactes Entwistle, Bruce (May 13)
- <Possible follow-ups>
- Re: SSL/SSH certifiactes Daniel Bennett (May 13)
- Re: SSL/SSH certifiactes Matthew Gracie (May 13)
- Re: SSL/SSH certifiactes Dexter Caldwell (May 13)
- Re: SSL/SSH certifiactes Greg Washburn (May 13)
- Re: SSL/SSH certifiactes John Ladwig (May 13)
- Re: SSL/SSH certifiactes Sam Hooker (May 13)
- Re: SSL/SSH certifiactes Andy Fleming (May 14)