Confused about CA deployment options

From: bhogan (bhogan@cox.net)
Date: 05/24/02

• Next message: Ivan de Sousa: "Auditing detecting anonymous user?"
• Previous message: Ron Bogart: "Re: Windows XP Home Security Chat Today"
• Next in thread: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
• Reply: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "bhogan" <bhogan@cox.net>
Date: Fri, 24 May 2002 13:55:58 -0700

I am trying to deploy SSL in a multiple domain
environment where my domains are varied where in xx.yy.zz
the x. portion of the domain has many different values
based on each organization within the larger
organization. Than also the urls wil vary with services
offered so the URL looks like ww.xx.yy.zz. What is the
most efficient way to implement SSL in this environment?
To complicate it further these are load balanced servers
and each one may represent 30 of the above variations.
Can a single server host 30 different SSL urls (they
actually all end up at the same site but based on the URL
they typed in they appear to have a branded site). If the
cert only represents yy.zz which is the only constant,
than the client will likely get an error when connecting
to ww.xx.yy.zz

I planned on installing my own CA as a standalone root.
The problem here is then the clients don't automatically
trust the CA. Can I use a third party certificate (i.e.
verisign) for the root of the CA only? If I do, will the
clients automatically trust any certificates I then
generate based on the rot certificate? I know the obvious
solution is to just purchase them al from a third party
but I have no budget to work with so it's time to be
creative.

---

• Next message: Ivan de Sousa: "Auditing detecting anonymous user?"
• Previous message: Ron Bogart: "Re: Windows XP Home Security Chat Today"
• Next in thread: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
• Reply: S. Pidgorny [MVP]: "Re: Confused about CA deployment options"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: X509 and SSL ... When you enable SSL / HTTPS on a particular folder, ... If you need to authenticate your clients via signatures, ... >>> must i buy one certificate for sign response messages and one ... (microsoft.public.dotnet.framework.webservices.enhancements) Re: Confused about CA deployment options ... >3) If the servers are intranet-only, ... >> I am trying to deploy SSL in a multiple domain ... >> trust the CA. Can I use a third party certificate (i.e. ... >> clients automatically trust any certificates I then ... (microsoft.public.security) XMLRPC and SSL ... I have a web service that I built and it requires using SSL. ... I have found a few examples of clients using SSL but none that allow me to change the client's certificate or the chain of certificates the client will use to authenticate the server. ... (comp.lang.python) Re: Proposal for a new PKI model (At least I hope its new) ... > Then the world would have no problem trusting your domain level PKI ... coined the term "certificate manufacturing" to distinquish from actual ... it turns out that one of the reasons for the SSL server domain name ... (sci.crypt) Re: New Method for Authenticated Public Key Exchange without Digital Certificates ... one of the motivating factors for the SSL domain name server ... server certificate, ... Was: PKI International Consortium ... (sci.crypt)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2002-05