Re: Re: How to use a certificate provided by some external CA ?

Forums Network Management ZeroShell How to use a certificate provided by some external CA ? Re: Re: How to use a certificate provided by some external CA ?


@PatrickB wrote:


This is a question in terms of global strategy.

Due to the issues I report in another post:

…I tried to setup a host certificate generated externally for the ZS box. With externally I mean: signed by the external CA that signs all in your organization.

The upload works but it does not want to use it and rather uses the one automatically rebuilt when a local CA has been setup (I did not try internal surgery ๐Ÿ˜ˆ since it is not natural).

What means that the ZS box must be given a local CA certificate which is itself validated by the external CA. An intermediate CA, trusted by the external CA to certify any host in its name ๐Ÿ˜†

You must use a special type of certificate (issuer certificate) because you will act as certificate authority (CA).
@PatrickB wrote:

Which external CA agrees to do that for you (assuming that you are not a big international organization) ?

You wouldn’t find any international CA which give you permissions to act as a sub certification authority (CA). Because all instances of CA’s must have the same level of security and policies. Else, there run to risk to compromise the generated certificates. Look at PKI architecture and his components, policies and you know what i mean.
@PatrickB wrote:

Else, how can the ZS machine (and the subnet it masters) be integrated in a network connected to the Internet, where the other certificates are all signed, directly or not, by international CA’s ?
ie: How to use such a “world wide” certificate for the ZS host ?

Thanks, best regards.

IMHO it dosn’t make sence to import certificates from international CA’s into ZS, as long as the public service not provided by ZS.

In any case you must generate your own certificates from international CA (for example look at CAcert for a international CA). This certificates must be import into the approtiate components. For example this can be a apache web service, tomcat service and so on, which manage your public (international reachable) service. The common name of this certificates must match with the international reachable fqdn name from your service !

Best regards