Hi
I feel lots of people like us do use the OpenSSL CAs. One problem you
would face is to install the CA Cert in each and every client browser
else that would give pop-ups.. Apart from that, I feel this is as much
secure as any commercial CA..

-Krishna
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

I do use openssl (with some custom things like a website for clients to
generate keys and CSRs for a browser) as a private CA and it works quite
fine. I guess it's not ideal if you have lots (thousends) of
certificates to manage, mainly for performance reasons. And it's kind of
spartanic.

If you want to work with client certificates you'll probably need a
practical way for your users to generate certificates, since you should
not assume a typical user can generate a key pair and CSR using the
openssl utility, especially if they should be able to use it in things
like browsers or other client side tools.

So IMHO it is possible but there may be a bit extra work. I do not know
of any insecurities and I would expect none.
Also I have not tested other CA packages, so I cannot give you a direct
comparison...

Hope it helps
Ted
;)

I use openssl for CA management without any problems at all. I think all
of the issues are related to implementation rather than capability (FIPS
notwithstanding). Other tools may provide more convenient interfaces,
but the same basic principles apply.

Remember that a CA is a valuable resource, so protect it well. My CA is
essentially a portable directory of files that is strongly encrypted
when I'm not using it. How you scale this depends on the needs of your
organization.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

I was designing an open Java/C CA a few years back, but never released a
public version. The target was small-midsized organizations, e.g., a CA
that would issue internal certificates for students and faculty at a
university. I studied many of the issues that they're referring to.

There are actually three separate pieces to a "production" CA:

- a registration authority (RA). This is what accepts the requests and
supporting documentation. We can use openssl command lines, a public CA
can use a website or email, an organization can integrate this into the
standard intake processing for new employees, students, patients, clients,
whatever.

- a certificate repository (Repository). This is what publishes
certificates and CRLs. There are RFCs that describe various standard ways
of providing this information, what types of searches should be supported,
etc.

The openssl CA maintains this information in a set of files. I had
prototyped PostgreSQL with custom types so I had native support of
certificates and keys. That was seriously cool since I could do pretty
much everything openssl does as natively supported database functions and
stored procedures. (It would be published via a J2EE app.)

- a certificate authority [engine] (CA). This does nothing but convert
CSR to certs.

We're mostly looking at simple environments, but a "production" system
will have many layers of certificates. E.g., you might have a grand-daddy
cert kept in a safe deposit box, top-level departmental certs (also kept
locked away), working departmental certs (kept in the CIO's office), and
the working certs used to sign CSRs. The latter might be handled by
software, but a larger organization will want those top-level certs/keys
in hardware.

(BTW even that hierarchy may be simplified. You may go top-level CA ->
servers CA -> mail servers CA -> departmental mail server CA -> working
departmental mail servers CA -> actual mail server.)

I'm sure you can do all of this with the openssl CA... but imagine signing
a thousand certs for the incoming freshman class.


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Well openssl is really just a toolkit that can perform some functions
of a ca. And if you want an open source toolkit, it's really the only
option. I can't think of any features that openssl is missing that
you would need for a ca, and there aren't any openssl particular
security issues, every application has security flaws now and then.

We use an openssl based ca for our payment gateway. We issue them to
clients, and require client certificates (in addition to the normal
username/password that uses kerberos) for all access to our web
interfaces that provide access to cardholder data. We were actually
the first gateway to do this, starting almost 4 years ago. It also
comes in handy for sending confidential information to our clients
via email. Every client already has a certificate installed, so
encrypting email messages to them is trivial. Much easier then trying
to train them to use something like pgp.

I would say for the most part private CA are used in intranets,
although that is changing slowly.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org