Educause Security Discussion mailing list archives

Re: SSL/SSH certifiactes

From: Sam Hooker <samuel.hooker () UVM EDU>
Date: Thu, 13 May 2010 13:02:10 -0400


On 20100513 12:22 , Matthew Gracie wrote:

For things that are only accessed by ITS staff (such as the
infrastructure components you listed), we generate certs with an
internal CA and set up staff machines to trust them. No need to pay for
an external certificate for such a small audience, at least in my opinion.


While our university internal CA hasn't seen wide use yet, I do this for
my private stuff (hosted for friends and family); it's easy enough to
have a small audience import the CA cert, and wider (campus-wide,
perhaps?) acceptance can be worked into your central imaging/deployment
regimen. Just make sure you can import your CA cert into your
vulnerability testing tools, too. ;-)

If the notion of managing a CA with raw openssl intimidates you,
download the OpenVPN source[1] and fish out the "easy-rsa" directory:
there are scripts in there that make it pretty straightforward. Feel
free to email me off-list with questions, if you'd like.


Cheers,

-sth

[1]http://openvpn.net/index.php/open-source/downloads.html

-- 
Sam Hooker | samuel.hooker () uvm edu
Systems Architecture and Administration
Enterprise Technology Services
The University of Vermont

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

SSL/SSH certifiactes Entwistle, Bruce (May 13)
- <Possible follow-ups>
- Re: SSL/SSH certifiactes Daniel Bennett (May 13)
- Re: SSL/SSH certifiactes Matthew Gracie (May 13)
- Re: SSL/SSH certifiactes Dexter Caldwell (May 13)
- Re: SSL/SSH certifiactes Greg Washburn (May 13)
- Re: SSL/SSH certifiactes John Ladwig (May 13)
- Re: SSL/SSH certifiactes Sam Hooker (May 13)
- Re: SSL/SSH certifiactes Andy Fleming (May 14)