Fedora directory users - Mar 2006 - FDS & Red Hat Certificate System

Hi, everyone.  I think this subject has been briefly raised before but
I''ve more questions.

Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?  
Has anybody done this?
RHCS doesn''t seem to be opensourced.  Is there a reliable free
alternative?

The problem I''m trying to solve is that my CA cert is self-signed.  I
guess even if it weren''t,
the management is a little concerned about MITM attacks against the FDS, so we
need a way to
verify that the server saying that it''s our FDS really is the FDS. 
Right now no certs are
deployed on the clients, we''re using them only for SSL traffic
encryption.

What''s the best way to go about doing this?  I don''t want to
manually create/deploy dozens of
certs for various clients.  I also need a way to implement CRL somehow, in case
a box is
comprosmised.

Thank you.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

>
> ...the management is a little concerned about MITM attacks against the FDS,
so we need a way to
> verify that the server saying that it''s our FDS really is the FDS.
Right now no certs are
> deployed on the clients, we''re using them only for SSL traffic
encryption.
If I''m interpreting your question right, I think you''re
already covered
for this as long as:
- Your client apps do server cert verification.
- Your internal CA isn''t compromised.
- Your cert/key DB files on your FDS servers haven''t been compromised.

You shouldn''t need to sign a new certificate for every client, you just
need a copy of the CA certificate on each client.




Susan wrote:
> Hi, everyone.  I think this subject has been briefly raised before but
I''ve more questions.
>
> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?  
> Has anybody done this?
> RHCS doesn''t seem to be opensourced.  Is there a reliable free
alternative?
>
> The problem I''m trying to solve is that my CA cert is self-signed.
I guess even if it weren''t,
> the management is a little concerned about MITM attacks against the FDS, so
we need a way to
> verify that the server saying that it''s our FDS really is the FDS.
Right now no certs are
> deployed on the clients, we''re using them only for SSL traffic
encryption.
>
> What''s the best way to go about doing this?  I don''t want
to manually create/deploy dozens of
> certs for various clients.  I also need a way to implement CRL somehow, in
case a box is
> comprosmised.
>
> Thank you.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Susan wrote:
> Hi, everyone.  I think this subject has been briefly raised before but
I''ve more questions.
>
> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
>   
Yes.  You go to the RHCS web interface, click "Get CA Cert Chain", and
you can download or copy/paste the CA cert for use with client apps (or 
importing into your web browser or email program or etc.).  This assumes 
you are using RHCS as your CA.
> Has anybody done this?
>   
We used this extensively at Netscape.
> RHCS doesn''t seem to be opensourced.  Is there a reliable free
alternative?
>   
I don''t know.
> The problem I''m trying to solve is that my CA cert is self-signed.
I guess even if it weren''t,
> the management is a little concerned about MITM attacks against the FDS, so
we need a way to
> verify that the server saying that it''s our FDS really is the FDS.
The only way to do this is to have a real FQDN as the cn of your server 
cert subject DN.  When the server presents its cert during the SSL 
handshake, the client can verify that the CA (whose cert you have in the 
client cert db) signed the server''s cert, and that the hostname in 
subject DN in the server cert corresponds to the hostname that the 
server is on (reverse DNS lookup of the IP address of the
server).
> Right now no certs are
> deployed on the clients, we''re using them only for SSL traffic
encryption.
>   
Do you mean client cert auth?
> What''s the best way to go about doing this?  I don''t want
to manually create/deploy dozens of
> certs for various clients.
CA certs or client certs?  For the CA cert problem, AFAIK, there is no 
way around it - you have to configure your clients to trust your CA one 
way or another.  You can mitigate this somewhat by going through the 
process of getting a real CA cert from one of the trusted root CAs 
listed in your web browser or email client.
> I also need a way to implement CRL somehow, in case a box is
> comprosmised.
>   
RHCS also implements CRL generation and publishing, and also supports 
OCSP.  One of our engineers is developing a mod_revocator Apache module 
which will automatically get CRLs for Apache certificate status checking 
(for servers and clients).
> Thank you.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

--- George Holbert <gholbert@broadcom.com> wrote:
> You shouldn''t need to sign a new certificate for every client, you
just
> need a copy of the CA certificate on each client.
right.  That''s what I was wondering, is there a way to have all ldap
clients to go to some url &
download the CA cert or something like that.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Susan wrote:
> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?  
Handing out CA certs to clients is simply a matter of copying the file 
to the client, and maybe entering it into the certificate database e.g. 
like the Netscape Communicator or FDS certdb.
> Is there a reliable free alternative?
OpenSSL is a free tool with all of the capabilities which are required 
to run a CA. I use it for all of my CA operations.

> The problem I''m trying to solve is that my CA cert is self-signed.
That is not a problem, it''s a fact. Contrary to popular belief, 
self-signed CA certs are not bad when used company internal. In fact, 
there are many benefits compared to having all of your certs issued from 
a commercial CA. Commercial server certs are for when you run public 
internet services and don''t want your customers to see certificate 
questions. Why would they see certificate questions? Because their 
applications don''t come bundled with your root CA cert...

When you control the network, you can deploy applications with your root 
CA cert already inserted, or you can simply deploy it to workstations 
with Tivoli or cfengine, etc. Your internal customers still don''t see 
certificate questions.

> I guess even if it weren''t, the management is a little concerned
about
 > MITM attacks against the FDS, so we need a way to verify that the server
 > saying that it''s our FDS really is the FDS.

No problem. Just issue the FDS server certs from your own CA, e.g. 
OpenSSL. Import your own root CA cert into FDS as well. Import your own 
root CA cert to your clients, e.g. linux, solaris. The clients will 
verify the FDS cert against their copy of the root CA cert.

> Right now no certs are deployed on the clients, we''re using them
only
 > for SSL traffic encryption.
> 
> What''s the best way to go about doing this?  I don''t want
to manually create/deploy dozens of
> certs for various clients.  I also need a way to implement CRL somehow, in
case a box is
> comprosmised.
Your clients don''t need certificates, they only need a copy of your
root
CA cert - the same file for every client. You do not generally need to 
use "client authentication"; you really have to know what you are
doing
with PKI to know why you would want to use it. Clients generally do not 
need their own certs unless they are people and are doing S/MIME email.

It appears that you have fundamental misunderstandings of what a PKI is 
and does, and I suggest that you study the subject instead of using the 
learn-as-you-go ad-hoc network architecture method.

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm

http://www.opengroup.org/messaging/G260/pki_tutorial.htm


Finally, as soon as I get time, I will update the SSL Howto. I already 
have all of the scripts and methods for fully automated setup up FDS 
with a third-party CA, namely OpenSSL. Lack of time is the only reason 
why I haven''t yet written it up on the wiki.


BR,
--
mike

--- Richard Megginson <rmeggins@redhat.com> wrote:
> Susan wrote:
> > Hi, everyone.  I think this subject has been briefly raised before but
I''ve more questions.
> >
> > Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
> >   
> Yes.  You go to the RHCS web interface, click "Get CA Cert
Chain", and
> you can download or copy/paste the CA cert for use with client apps (or 
> importing into your web browser or email program or etc.).  This assumes 
> you are using RHCS as your CA.
well, I''m speaking strictly of ldap clients.  Browsers I don''t
care about.

> > Has anybody done this?
> >   
> We used this extensively at Netscape.
to automatically hand out CA certs to ldap clients upon request?
> > Right now no certs are
> > deployed on the clients, we''re using them only for SSL
traffic encryption.
> >   
> Do you mean client cert auth?
well, no.  We don''t care whether the clients misrepresent themselves. 
We care if the FDS
misrepresents itself.
> CA certs or client certs?  For the CA cert problem, AFAIK, there is no 
> way around it - you have to configure your clients to trust your CA one 
> way or another.  You can mitigate this somewhat by going through the 
> process of getting a real CA cert from one of the trusted root CAs 
> listed in your web browser or email client.
yea but what about ldap clients?  AFAIK no ldap client implicitly trusts
verisign or anything like
that.  So, even if I do get a real CA cert, will a plain vanilla FC4 install
trust it?  I''m
guessing no....?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Mike Jackson wrote:
> Susan wrote:
> 
>> Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
> 
> 
> Handing out CA certs to clients is simply a matter of copying the file 
> to the client, and maybe entering it into the certificate database e.g. 
> like the Netscape Communicator or FDS certdb.
> 
>> Is there a reliable free alternative?
> 
> 
> OpenSSL is a free tool with all of the capabilities which are required 
> to run a CA. I use it for all of my CA operations.
> 
> 
>> The problem I''m trying to solve is that my CA cert is
self-signed.
> 
> 
> That is not a problem, it''s a fact. Contrary to popular belief, 
> self-signed CA certs are not bad when used company internal. In fact, 
> there are many benefits compared to having all of your certs issued from 
> a commercial CA. Commercial server certs are for when you run public 
> internet services and don''t want your customers to see certificate
> questions. Why would they see certificate questions? Because their 
> applications don''t come bundled with your root CA cert...
It really depends on where you are deploying SSL. If you are deploying 
certificates for web servers it is a real a problem. The trouble is that 
unless there is a central authority, dozens of internal sites will each 
have their own CA, training users to blindly accept every unknown web 
server as ok. So when these same users encounter the situation outside 
of the intranet, well, you get the picture. It opens up users to 
man-in-the-middle attacks.
> When you control the network, you can deploy applications with your root 
> CA cert already inserted, or you can simply deploy it to workstations 
> with Tivoli or cfengine, etc. Your internal customers still don''t
see
> certificate questions.
> 
> 
>> I guess even if it weren''t, the management is a little
concerned about
> 
>  > MITM attacks against the FDS, so we need a way to verify that the
server
>  > saying that it''s our FDS really is the FDS.
> 
> No problem. Just issue the FDS server certs from your own CA, e.g. 
> OpenSSL. Import your own root CA cert into FDS as well. Import your own 
> root CA cert to your clients, e.g. linux, solaris. The clients will 
> verify the FDS cert against their copy of the root CA cert.
> 
> 
> Finally, as soon as I get time, I will update the SSL Howto. I already 
> have all of the scripts and methods for fully automated setup up FDS 
> with a third-party CA, namely OpenSSL. Lack of time is the only reason 
> why I haven''t yet written it up on the wiki.
> 
Note that OpenSSL could introduce exactly the same problems that users 
have encountered trying to use NSS as a poor-man''s CA, namely issuing 
multiple CA certificates for each server in the MMR. The solution here 
isn''t the SSL library, it is the method in which it is used. NSS can 
easily handle these too and you can operate more directly on the 
certificate databases with it.

PKI is definitely not for the weak of heart but the illusion of security 
is worse than no security at all.

rob

--- Mike Jackson <mj@sci.fi> wrote:
> > What''s the best way to go about doing this?  I don''t
want to manually create/deploy dozens of
> > certs for various clients.  I also need a way to implement CRL
somehow, in case a box is
> > comprosmised.
> 
> Your clients don''t need certificates, they only need a copy of
your root
> CA cert - the same file for every client. 
right, I think I was confused on that point.  I meant to say that I
don''t want to deploy the CA
cert to dozens of clients.  So, forget the CRL, then...

Because we have about 60 servers total.  Now, /etc/openldap/cacerts/ is writable
by root only and
I''d have to do some serious expect/perl scripting to ssh into every
machine, accept the key, su -
root, scp the CA cert, log out.  I really don''t want to do this if I
don''t have to.

So, are you saying I can use openSSL + linux openldap client to do this
automagically?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

>
> ...to automatically hand out CA certs to ldap clients upon request?
There is no standard mechanism for this.  You have to manually copy CA 
certs to the location and in the format that each of your secure LDAP 
client apps expects.

> yea but what about ldap clients?  AFAIK no ldap client implicitly trusts
verisign or anything like
> that.  So, even if I do get a real CA cert, will a plain vanilla FC4
install trust it?  I''m
> guessing no....?
RedHat Linux in the past has come with a bundle of well-known CA certs 
in /usr/share/ssl/cert.pem.  I haven''t used FC4, but I''m
guessing it has
this too?

You would still need to configure LDAP client apps to know about this file.
Using PADL''s pam_ldap/nss_ldap as an example, you would need to add:
tls_cacertfile /usr/share/ssl/cert.pem
...to /etc/ldap.conf.




Susan wrote:
> --- Richard Megginson <rmeggins@redhat.com> wrote:
>
>   
>> Susan wrote:
>>     
>>> Hi, everyone.  I think this subject has been briefly raised before
but I''ve more questions.
>>>
>>> Can RHCS be used to hand out CA certs to Unix clients
(linux/solaris)?
>>>   
>>>       
>> Yes.  You go to the RHCS web interface, click "Get CA Cert
Chain", and
>> you can download or copy/paste the CA cert for use with client apps (or
>> importing into your web browser or email program or etc.).  This
assumes
>> you are using RHCS as your CA.
>>     
>
> well, I''m speaking strictly of ldap clients.  Browsers I
don''t care about.
>
>
>   
>>> Has anybody done this?
>>>   
>>>       
>> We used this extensively at Netscape.
>>     
>
> to automatically hand out CA certs to ldap clients upon request?
>
>   
>>> Right now no certs are
>>> deployed on the clients, we''re using them only for SSL
traffic encryption.
>>>   
>>>       
>> Do you mean client cert auth?
>>     
>
> well, no.  We don''t care whether the clients misrepresent
themselves.  We care if the FDS
> misrepresents itself.
>
>   
>> CA certs or client certs?  For the CA cert problem, AFAIK, there is no 
>> way around it - you have to configure your clients to trust your CA one
>> way or another.  You can mitigate this somewhat by going through the 
>> process of getting a real CA cert from one of the trusted root CAs 
>> listed in your web browser or email client.
>>     
>
> yea but what about ldap clients?  AFAIK no ldap client implicitly trusts
verisign or anything like
> that.  So, even if I do get a real CA cert, will a plain vanilla FC4
install trust it?  I''m
> guessing no....?
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

George Holbert wrote:
>>
>> ...to automatically hand out CA certs to ldap clients upon request?
>
> There is no standard mechanism for this.  You have to manually copy CA 
> certs to the location and in the format that each of your secure LDAP 
> client apps expects.
>
>
>> yea but what about ldap clients?  AFAIK no ldap client implicitly 
>> trusts verisign or anything like
>> that.  So, even if I do get a real CA cert, will a plain vanilla FC4 
>> install trust it?  I''m
>> guessing no....?
>
> RedHat Linux in the past has come with a bundle of well-known CA certs 
> in /usr/share/ssl/cert.pem.  I haven''t used FC4, but I''m
guessing it
> has this too?
>
> You would still need to configure LDAP client apps to know about this 
> file.
> Using PADL''s pam_ldap/nss_ldap as an example, you would need to
add:
> tls_cacertfile /usr/share/ssl/cert.pem
> ...to /etc/ldap.conf.
In Fedora Core 5 this is in /etc/pki/tls/cert.pem:
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from certdata.txt RCS revision 1.37
#
.....
>
>
>
>
> Susan wrote:
>> --- Richard Megginson <rmeggins@redhat.com> wrote:
>>
>>  
>>> Susan wrote:
>>>    
>>>> Hi, everyone.  I think this subject has been briefly raised
before
>>>> but I''ve more questions.
>>>>
>>>> Can RHCS be used to hand out CA certs to Unix clients
(linux/solaris)?
>>>>         
>>> Yes.  You go to the RHCS web interface, click "Get CA Cert
Chain",
>>> and you can download or copy/paste the CA cert for use with client 
>>> apps (or importing into your web browser or email program or etc.).
>>> This assumes you are using RHCS as your CA.
>>>     
>>
>> well, I''m speaking strictly of ldap clients.  Browsers I
don''t care
>> about.
>>
>>
>>  
>>>> Has anybody done this?
>>>>         
>>> We used this extensively at Netscape.
>>>     
>>
>> to automatically hand out CA certs to ldap clients upon request?
>>
>>  
>>>> Right now no certs are
>>>> deployed on the clients, we''re using them only for SSL
traffic
>>>> encryption.         
>>> Do you mean client cert auth?
>>>     
>>
>> well, no.  We don''t care whether the clients misrepresent 
>> themselves.  We care if the FDS
>> misrepresents itself.
>>
>>  
>>> CA certs or client certs?  For the CA cert problem, AFAIK, there is
>>> no way around it - you have to configure your clients to trust your
>>> CA one way or another.  You can mitigate this somewhat by going 
>>> through the process of getting a real CA cert from one of the 
>>> trusted root CAs listed in your web browser or email client.
>>>     
>>
>> yea but what about ldap clients?  AFAIK no ldap client implicitly 
>> trusts verisign or anything like
>> that.  So, even if I do get a real CA cert, will a plain vanilla FC4 
>> install trust it?  I''m
>> guessing no....?
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around 
>> http://mail.yahoo.com
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>   
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users