On 04/14/2017 10:41 PM, Alice Wonder wrote:> https://www.openca.org/ might fit my needs.their Centos repo does not exist, it seems?> > On 04/14/2017 06:29 PM, Alice Wonder wrote: >> Hello list, >> >> I'm contemplating running my own CA to implement the new proposed ISP >> for validation of S/MIME certificates via DANE. >> >> I already use self-signed for my MX servers (with 3 1 1 dane records on >> TCP port 25) but I don't want to use self-signed for S/MIME for user >> specific x.509 certs because >> >> A) That's potentially a lot of DNS records >> B) That requires a hash of the e-mail addresses in DNS >> >> Instead, I will be using a wildcard in DNS with an intermediary that >> signs the user x.509 certificates. >> >> Using an intermediary to sign their certificates though means I can't >> just revoke their certificates by removing the DNS certificate, I'll >> need to provide an OCSP server for when one of their private keys gets >> compromised. >> >> I found >> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html >> >> but it looks like that is intended for enterprise, more complex than I >> need. >> >> Anyone know of a good simple script for providing OCSP ?? >> >> -=- >> >> Not relevant to question but just important for me to note, I will *not* >> be asking people to install my root certificate in their e-mail clients. >> I think it is a bad practice to get users in the habit of installing >> root certificates. >> >> I think the PKI system has way way way to many root certificates as it >> is. I want a world where DANE validates most certificates, and only a >> few root certificates are needed for things like banks where EV >> certificates are a must. >> >> DANE as a way to validate S/MIME I think will be a godsend to e-mail >> security, I hope clients implement it. >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Oh I don't know, their github works. However it seems that it isn't able to deal with more than one ocsp signing key. On 04/16/2017 08:40 AM, Robert Moskowitz wrote:> > > On 04/14/2017 10:41 PM, Alice Wonder wrote: >> https://www.openca.org/ might fit my needs. > > their Centos repo does not exist, it seems? > >> >> On 04/14/2017 06:29 PM, Alice Wonder wrote: >>> Hello list, >>> >>> I'm contemplating running my own CA to implement the new proposed ISP >>> for validation of S/MIME certificates via DANE. >>> >>> I already use self-signed for my MX servers (with 3 1 1 dane records on >>> TCP port 25) but I don't want to use self-signed for S/MIME for user >>> specific x.509 certs because >>> >>> A) That's potentially a lot of DNS records >>> B) That requires a hash of the e-mail addresses in DNS >>> >>> Instead, I will be using a wildcard in DNS with an intermediary that >>> signs the user x.509 certificates. >>> >>> Using an intermediary to sign their certificates though means I can't >>> just revoke their certificates by removing the DNS certificate, I'll >>> need to provide an OCSP server for when one of their private keys gets >>> compromised. >>> >>> I found >>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html >>> >>> but it looks like that is intended for enterprise, more complex than I >>> need. >>> >>> Anyone know of a good simple script for providing OCSP ?? >>> >>> -=- >>> >>> Not relevant to question but just important for me to note, I will *not* >>> be asking people to install my root certificate in their e-mail clients. >>> I think it is a bad practice to get users in the habit of installing >>> root certificates. >>> >>> I think the PKI system has way way way to many root certificates as it >>> is. I want a world where DANE validates most certificates, and only a >>> few root certificates are needed for things like banks where EV >>> certificates are a must. >>> >>> DANE as a way to validate S/MIME I think will be a godsend to e-mail >>> security, I hope clients implement it. >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
What about the pki package that comes with Centos? pki-server and pki-ca? On 04/16/2017 11:54 AM, Alice Wonder wrote:> Oh I don't know, their github works. > > However it seems that it isn't able to deal with more than one ocsp > signing key. > > On 04/16/2017 08:40 AM, Robert Moskowitz wrote: >> >> >> On 04/14/2017 10:41 PM, Alice Wonder wrote: >>> https://www.openca.org/ might fit my needs. >> >> their Centos repo does not exist, it seems? >> >>> >>> On 04/14/2017 06:29 PM, Alice Wonder wrote: >>>> Hello list, >>>> >>>> I'm contemplating running my own CA to implement the new proposed ISP >>>> for validation of S/MIME certificates via DANE. >>>> >>>> I already use self-signed for my MX servers (with 3 1 1 dane >>>> records on >>>> TCP port 25) but I don't want to use self-signed for S/MIME for user >>>> specific x.509 certs because >>>> >>>> A) That's potentially a lot of DNS records >>>> B) That requires a hash of the e-mail addresses in DNS >>>> >>>> Instead, I will be using a wildcard in DNS with an intermediary that >>>> signs the user x.509 certificates. >>>> >>>> Using an intermediary to sign their certificates though means I can't >>>> just revoke their certificates by removing the DNS certificate, I'll >>>> need to provide an OCSP server for when one of their private keys gets >>>> compromised. >>>> >>>> I found >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html >>>> >>>> >>>> but it looks like that is intended for enterprise, more complex than I >>>> need. >>>> >>>> Anyone know of a good simple script for providing OCSP ?? >>>> >>>> -=- >>>> >>>> Not relevant to question but just important for me to note, I will >>>> *not* >>>> be asking people to install my root certificate in their e-mail >>>> clients. >>>> I think it is a bad practice to get users in the habit of installing >>>> root certificates. >>>> >>>> I think the PKI system has way way way to many root certificates as it >>>> is. I want a world where DANE validates most certificates, and only a >>>> few root certificates are needed for things like banks where EV >>>> certificates are a must. >>>> >>>> DANE as a way to validate S/MIME I think will be a godsend to e-mail >>>> security, I hope clients implement it. >>>> _______________________________________________ >>>> CentOS mailing list >>>> CentOS at centos.org >>>> https://lists.centos.org/mailman/listinfo/centos >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >>> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >