Re: Certificate Server - second attempt!

From: Thomas Karlsson (thomas.karlsson3@re.ove.telia.com)
Date: 06/06/02 

From: Thomas Karlsson <thomas.karlsson3@re.ove.telia.com>
Date: Wed, 05 Jun 2002 22:12:44 GMT

Paul wrote:
> Could someone please help me? I am nearing the point where I need to
> implement an internal Certificate Server, and I would like to discover a way
> to simplify the process of generating a certificate and installing the
> private key on the client.
> Would it be normal practice to generate the key locally on the server, for a
> client, and then copy the key over to the client manually? How could you do
> this - file sharing, copy onto floppy, SSH?
>
> Here's a copy of my previous mail, with my other questions. I would
> sincerely appreciate some help.
>
> Best regards
> Paul
>
>
> Dos anyone know if it is possible to create a certificate server which
> allows you to request a certificate from a client over Apache (https) and
> will automatically generate a private key to copy and paste onto the client.
> Then the public key will automatically be added to the CA?
>
> Any pointers to useful documents and websites would be very appreciated.
> I tried http://www.openca.org, but couldn't find the manuals and, to my
> disappointment, the demo stated that I did not have permission to access the
> server. Hence, I can not really understand exactly what it is! Anyway, if
> there alternative software available, I still like to investigate it if they
> are recommended.
>
> Please help me!!! :-)
> Many thanks
> Paul
>
>

Hi

You always want the client to produce a pkcs #10 certificate request
(generate the private key locally) if you want complete non-repudiation.
But if you're interested in keyrecovery, then you may choose a server
side creation of keys.
Hmm a general rule, you just want to copy the keys safely. The safest
way is by floppy, but personally dont have a problem with ssh.
Filesharing Without encryption is not good.

Your question in the previous mail. Your question is a good definition
of a CA. All CA's can do that.
Here is a Java CA that is good. http://ejbca.sourceforge.net/
Another really light CA is TinyCA

//Thomas

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • [Full-disclosure] VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
    ... X.509 certificate when creating an SSL session, ... Both the client and server need certificates from a mutually-trusted ... VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch ...
    (Full-Disclosure)