using openssl as CA ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

using openssl as CA ?

Urjit Gokhale
Hi,
I am planning to ssl enable my client server application, that I will be making available for commercial use. In this process I had planned to use openssl command line utility as CA to give out certificates (I am going to work as private CA). But just then, I came across a section in "Network Security with openSSL" (O'Reilly), that states
"Since OpenSSL's command-line CA functionality was intended primarily as an example of how to use OpenSSL to build a CA, we don't recommend that you attempt to use it in a large production environment."
It also talks about freely available CA packages such as openCA and pyCA.
 
So now I am a little confused about using openssl command line utility as CA to give out certificates.
What could be the reasons for using anything other than openssl as CA? Are there security issues?
Are people using openssl as their private CA? are any particular problems reported regarding the use of openssl as private CA on large scale?
 
I google'd a bit regarding this, could not get any information as such. So decided to ask this on the list.
 
~ Urjit

 

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.
Reply | Threaded
Open this post in threaded view
|

Re: using openssl as CA ?

Krishna M Singh-2
Hi
I feel lots of people like us do use the OpenSSL CAs. One problem you
would face is to install the CA Cert in each and every client browser
else that would give pop-ups.. Apart from that, I feel this is as much
secure as any commercial CA..

-Krishna

On 7/18/06, Urjit Gokhale <[hidden email]> wrote:

>
> Hi,
> I am planning to ssl enable my client server application, that I will be
> making available for commercial use. In this process I had planned to use
> openssl command line utility as CA to give out certificates (I am going to
> work as private CA). But just then, I came across a section in "Network
> Security with openSSL" (O'Reilly), that states
> "Since OpenSSL's command-line CA functionality was intended primarily as an
> example of how to use OpenSSL to build a CA, we don't recommend that you
> attempt to use it in a large production environment."
> It also talks about freely available CA packages such as openCA and pyCA.
>
> So now I am a little confused about using openssl command line utility as CA
> to give out certificates.
> What could be the reasons for using anything other than openssl as CA? Are
> there security issues?
> Are people using openssl as their private CA? are any particular problems
> reported regarding the use of openssl as private CA on large scale?
>
> I google'd a bit regarding this, could not get any information as such. So
> decided to ask this on the list.
>
> ~ Urjit
>
>  DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Pvt. Ltd. It is
> intended only for the use of the individual or entity to which it is
> addressed. If you are not the intended recipient, you are not authorized to
> read, retain, copy, print, distribute or use this message. If you have
> received this communication in error, please notify the sender and delete
> all copies of this message. Persistent Systems Pvt. Ltd. does not accept any
> liability for virus infected mails.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: using openssl as CA ?

Bernhard Fröhlich-2
In reply to this post by Urjit Gokhale
Urjit Gokhale wrote:

> Hi,
> I am planning to ssl enable my client server application, that I will
> be making available for commercial use. In this process I had planned
> to use openssl command line utility as CA to give out certificates (I
> am going to work as private CA). But just then, I came across a
> section in "Network Security with openSSL" (O'Reilly), that states
> "Since OpenSSL's command-line CA functionality was intended primarily
> as an example of how to use OpenSSL to build a CA, we don't recommend
> that you attempt to use it in a large production environment."
> It also talks about freely available CA packages such as openCA and pyCA.
>  
> So now I am a little confused about using openssl command line utility
> as CA to give out certificates.
> What could be the reasons for using anything other than openssl as CA?
> Are there security issues?
> Are people using openssl as their private CA? are any particular
> problems reported regarding the use of openssl as private CA on large
> scale?
I do use openssl (with some custom things like a website for clients to
generate keys and CSRs for a browser) as a private CA and it works quite
fine. I guess it's not ideal if you have lots (thousends) of
certificates to manage, mainly for performance reasons. And it's kind of
spartanic.

If you want to work with client certificates you'll probably need a
practical way for your users to generate certificates, since you should
not assume a typical user can generate a key pair and CSR using the
openssl utility, especially if they should be able to use it in things
like browsers or other client side tools.

So IMHO it is possible but there may be a bit extra work. I do not know
of any insecurities and I would expect none.
Also I have not tested other CA packages, so I cannot give you a direct
comparison...

Hope it helps
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: using openssl as CA ?

Jorey Bump
In reply to this post by Urjit Gokhale
Urjit Gokhale wrote:

> So now I am a little confused about using openssl command line utility
> as CA to give out certificates.
> What could be the reasons for using anything other than openssl as CA?
> Are there security issues?
> Are people using openssl as their private CA? are any particular
> problems reported regarding the use of openssl as private CA on large scale?

I use openssl for CA management without any problems at all. I think all
of the issues are related to implementation rather than capability (FIPS
notwithstanding). Other tools may provide more convenient interfaces,
but the same basic principles apply.

Remember that a CA is a valuable resource, so protect it well. My CA is
essentially a portable directory of files that is strongly encrypted
when I'm not using it. How you scale this depends on the needs of your
organization.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: using openssl as CA ?

snacktime
We have our own CA that uses perl to call openssl directly, and have
used it for several years.  We store everything in a database though
instead of relying on openssl's text files that it uses natively.
Right now we are in the process of rewriting the CA in ruby, so we can
use ruby on rails for the web interface.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: using openssl as CA ?

Bear Giles
In reply to this post by Urjit Gokhale
> What could be the reasons for using anything other than openssl as CA? Are
> there security issues?
>
> Are people using openssl as their private CA? are any particular problems
> reported regarding the use of openssl as private CA on large scale?

I was designing an open Java/C CA a few years back, but never released a
public version.  The target was small-midsized organizations, e.g., a CA
that would issue internal certificates for students and faculty at a
university.  I studied many of the issues that they're referring to.

There are actually three separate pieces to a "production" CA:

- a registration authority (RA).  This is what accepts the requests and
supporting documentation.  We can use openssl command lines, a public CA
can use a website or email, an organization can integrate this into the
standard intake processing for new employees, students, patients, clients,
whatever.

- a certificate repository (Repository).  This is what publishes
certificates and CRLs.  There are RFCs that describe various standard ways
of providing this information, what types of searches should be supported,
etc.

The openssl CA maintains this information in a set of files.  I had
prototyped PostgreSQL with custom types so I had native support of
certificates and keys.  That was seriously cool since I could do pretty
much everything openssl does as natively supported database functions and
stored procedures.  (It would be published via a J2EE app.)

- a certificate authority [engine] (CA).  This does nothing but convert
CSR to certs.

We're mostly looking at simple environments, but a "production" system
will have many layers of certificates.  E.g., you might have a grand-daddy
cert kept in a safe deposit box, top-level departmental certs (also kept
locked away), working departmental certs (kept in the CIO's office), and
the working certs used to sign CSRs.  The latter might be handled by
software, but a larger organization will want those top-level certs/keys
in hardware.

(BTW even that hierarchy may be simplified.  You may go top-level CA ->
servers CA -> mail servers CA -> departmental mail server CA -> working
departmental mail servers CA -> actual mail server.)

I'm sure you can do all of this with the openssl CA... but imagine signing
a thousand certs for the incoming freshman class.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: using openssl as CA ?

snacktime
In reply to this post by Urjit Gokhale
>
> So now I am a little confused about using openssl command line utility as CA
> to give out certificates.
> What could be the reasons for using anything other than openssl as CA? Are
> there security issues?
> Are people using openssl as their private CA? are any particular problems
> reported regarding the use of openssl as private CA on large scale?

Well openssl is really just a toolkit that can perform some functions
of a ca.  And if you want an open source toolkit, it's really the only
option.  I can't think of any features that openssl is missing that
you would need for a ca, and there aren't any openssl particular
security issues, every application has security flaws now and then.

We use an openssl based ca for our payment gateway.  We issue them to
clients, and require client certificates (in addition to the normal
username/password that uses kerberos) for all access to our web
interfaces that provide access to cardholder data.  We were actually
the first gateway to do this, starting almost 4 years ago.   It also
comes in handy for sending  confidential information to our clients
via email.  Every client already has a certificate installed, so
encrypting email messages to them is trivial.  Much easier then trying
to train them to use something like pgp.

I would say for the most part private CA are used in intranets,
although that is changing slowly.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]