On Wed, 19 Oct 2005, Chris Edwards wrote:
> At Glasgow uni we operate our own campus certificate authority, which
> signs server certificates for many services hosted centrally, and also
> services hosted in departments.
Indeed. Although, for less-stringent purposes, we have also used
self-signed certificates.
It's been a while since I actually did that, but, as I recall it, the
generation of a self-signed certificate in openssl produces a
certificate which is, in effect, its own CA. Some applications which
use certificates (e.g Mozilla) have the ability to remember that an
individual certificate is trusted, but others (e.g PINE) wanted a CA
to be installed in the openssl framework (or else certificate
verification had to be suppressed, which isn't nice) - for that
purpose, we had to derive a particular format from the self-signed
certificate, make it available to the client stations, and put it into
the place where the trusted CAs are kept.
Back then, I see from my mail archive that I was following a tutorial
at tirian.magd.ox.ac.uk, whose URL is irrelevant now as I see that it
is now a permanent redirect to:
http://www.gagravarr.org/writing/openssl-certs/email.shtml
The alternative (if many server certificates are involved) seems to be
a self-signed CA, which is then used to sign the individual
certificates.
The tutorial is written as for PINE, but the certificates are being
put into the system's openssl framework, so they aren't by any means
specific to PINE - they should be good for any certificated server
activity based on openssl.
I won't try to reproduce too many details here, as I'm sure to get
them wrong after this lapse of time, so if anyone wants to pursue
this, could I refer you to the tutorial?
But, coming back to Chris and the campus's "corporate CA":
> This scheme would be no use if for example we were selling stuff to
> arbitary customers out on the net. But in our environment, where
> the majority of our "customers" are using our services every day, it
> works well.
Yes indeed.
[...]
> Whereas I'm not sure how a commercial CA could distinguish an
> arbitary member of staff (or student, or member of the public)
> fraudulently claiming to be responsible for IT in the Physics
> department, and hence decline the request.
One might hope that they'd only respond to an official Order. But, as
you say, *they* still wouldn't know whether the order had been placed
in the name of someone authorised to run a secure server. At least
the official order would represent some kind of internal audit trail,
no?
all the best