www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

How to use a certificate provided by some external CA ?

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
PatrickB



Joined: 03 Nov 2012
Posts: 46

PostPosted: Thu Mar 05, 2015 9:30 am    Post subject: How to use a certificate provided by some external CA ? Reply with quote

Hello.

This is a question in terms of global strategy.

Due to the issues I report in another post:
http://www.zeroshell.org/forum/viewtopic.php?t=4897

...I tried to setup a host certificate generated externally for the ZS box. With externally I mean: signed by the external CA that signs all in your organization.

The upload works but it does not want to use it and rather uses the one automatically rebuilt when a local CA has been setup (I did not try internal surgery Twisted Evil since it is not natural).

What means that the ZS box must be given a local CA certificate which is itself validated by the external CA. An intermediate CA, trusted by the external CA to certify any host in its name Laughing

Which external CA agrees to do that for you (assuming that you are not a big international organization) ?

Else, how can the ZS machine (and the subnet it masters) be integrated in a network connected to the Internet, where the other certificates are all signed, directly or not, by international CA's ?
ie: How to use such a "world wide" certificate for the ZS host ?

Thanks, best regards.
Back to top
View user's profile Send private message
garfield



Joined: 17 Jul 2011
Posts: 4

PostPosted: Sat Jan 02, 2016 6:15 am    Post subject: Re: How to use a certificate provided by some external CA ? Reply with quote

PatrickB wrote:
Hello.

This is a question in terms of global strategy.

Due to the issues I report in another post:
http://www.zeroshell.org/forum/viewtopic.php?t=4897

...I tried to setup a host certificate generated externally for the ZS box. With externally I mean: signed by the external CA that signs all in your organization.

The upload works but it does not want to use it and rather uses the one automatically rebuilt when a local CA has been setup (I did not try internal surgery Twisted Evil since it is not natural).

What means that the ZS box must be given a local CA certificate which is itself validated by the external CA. An intermediate CA, trusted by the external CA to certify any host in its name Laughing

You must use a special type of certificate (issuer certificate) because you will act as certificate authority (CA).
PatrickB wrote:

Which external CA agrees to do that for you (assuming that you are not a big international organization) ?

You wouldn't find any international CA which give you permissions to act as a sub certification authority (CA). Because all instances of CA's must have the same level of security and policies. Else, there run to risk to compromise the generated certificates. Look at PKI architecture and his components, policies and you know what i mean.
PatrickB wrote:

Else, how can the ZS machine (and the subnet it masters) be integrated in a network connected to the Internet, where the other certificates are all signed, directly or not, by international CA's ?
ie: How to use such a "world wide" certificate for the ZS host ?

Thanks, best regards.

IMHO it dosn't make sence to import certificates from international CA's into ZS, as long as the public service not provided by ZS.

In any case you must generate your own certificates from international CA (for example look at CAcert for a international CA). This certificates must be import into the approtiate components. For example this can be a apache web service, tomcat service and so on, which manage your public (international reachable) service. The common name of this certificates must match with the international reachable fqdn name from your service !

Best regards
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group