How can you issue trusted cerficates?

by Volker Weber

Declan asked me yesterday:

I would like to be able to issue to X.509 certs to all staff in my Domino directory. Now I know I can do this with the built-in Domino CA but these certs aren't signed by a public authority so can't be automatically trusted.

Do you know of any way that the Domino CA can be setup so that it can issue certs from somebody like Thawte.

This is an excellent question. I have set up Domino CAs in the past, both for issuing server certificates for intranet sites, as well as for client certificates to enable automatic and transparent login to sites via SSL. However I have never set up a corporate CA to issue X.509 keys for signing and encrypting mails.

If you use your own self certified root certificate, everything works, besides that you need distribute said root certificate to all clients. This is not an option for email that leaves your realm. The question boils down to:

How do you become a sub-CA of a trusted CA?

Comments

There is an initiative called the European Bridge-CA which does exactly what you need. It links different independent CA authorities and allows for automatic certificate trust without the complexity of key distribution.
I know from first source that Deutsche Bank is using this to bridge their (non-Domino) CA to others. Using a native Domino CA should be ok as well, also you could import the X.509 certificates into your Domino Directory and into users' IDs (even though that obviously would require some additional work).

Ragnar Schierholz, 2005-01-10

Or you could join one of Verisign's or Thawte's Managed PKI programs which allow you to issue certificates yourself.
This is not "for free" of course...

Christoph Rummel, 2005-01-10

The Bridge CA system is an interesting concept. It's setup is very similar to the bridge being an adjacent domain and the company your sending to being a non-adjacent domain. The only problem is that both you and the receiver need to be part of this setup for it to be any benefit.

The managed PKI solutions don't cut the mustard either, you use a web interface to create the *.p12 for each person in your nab and then have to import them all. A lot of work.

The the Domino CA could be certified by one of the roots then you would have an automated solution. With the OLD domino SiteCert.NSF method you could create SSL keys that could be signed by the likes of verisign etc but the new Domino CA doesn't do this at all.

Declan Lynch, 2005-01-10

Generating the certificate requests is a job that can easily be done by a script an a list containing Name, emailaddress, organisation, organisational unit etc...
But still every request has to be enrolled on its own. Unless there is a way to do a bulkupload, which I don't know.

Christoph Rummel, 2005-01-10

Recent comments

Eric Bredtmann on Leatherman Free T4 :: Das hat sich bewährt at 19:53
Volker Weber on Leatherman Free T4 :: Das hat sich bewährt at 19:36
Volker Weber on No battery woes on Apple Watch 6 at 19:25
Dominique Roller on Leatherman Free T4 :: Das hat sich bewährt at 17:03
Bernd Hofmann on No battery woes on Apple Watch 6 at 16:33
Jan Van Puyvelde on Lenovo Yoga Slim 7 i7/16/1000 :: Erste Eindrücke at 14:30
Volker Weber on Lenovo Yoga Slim 7 i7/16/1000 :: Erste Eindrücke at 13:37
Volker Weber on No battery woes on Apple Watch 6 at 13:34
Dominique Roller on No battery woes on Apple Watch 6 at 13:31
michael rother on Lenovo Yoga Slim 7 i7/16/1000 :: Erste Eindrücke at 06:40
Jan Van Puyvelde on Lenovo Yoga Slim 7 i7/16/1000 :: Erste Eindrücke at 02:22
Volker Weber on Der Solo Loop ist toll at 15:04
Manfred Wiktorin on Der Solo Loop ist toll at 13:32
Bernd Hofmann on Apple Watch 6 :: Erste Eindrücke at 12:11
Volker Weber on Apple Watch 6 :: Erste Eindrücke at 10:06
Sascha Westphal on Apple Watch 6 :: Erste Eindrücke at 08:30
Valentin Woelm on Apple Watch 6 :: Erste Eindrücke at 23:26
Jochen Kattoll on Scanning websites with Blacklight at 22:54
Markus Michalski on Jabra Firmware 2.4.5 for Evolve2 65 at 16:59
Matthias Welling on Scanning websites with Blacklight at 13:43
Stefan Sperling on Scanning websites with Blacklight at 13:41
Ben Langhinrichs on Scanning websites with Blacklight at 17:55
Karl Heindel on Scanning websites with Blacklight at 16:17
Volker Weber on Jabra rüstet kabellose Ohrhörer Elite 75t mit ANC nach, kündigt Elite 85t an at 14:35
Michael Jäckel on Jabra rüstet kabellose Ohrhörer Elite 75t mit ANC nach, kündigt Elite 85t an at 14:04

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 21:28

visitors.gif

Paypal vowe