Open endepointe opened 7 months ago
The idea begins with:
The CA would manage all certificates issued to clients and servers.
Create a certificate that will be used to sign other certificates:
openssl genpkey -algorithm RSA -out ca.key
openssl req -x509 -new -key ca.key -out ca.crt
Sign its certificate using the CA Service-supplied certificate:
openssl genpkey -algorithm RSA -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Create and verify an account using the Frontend service.
Create and sign its certificate using the CA Service-supplied certificate:
openssl genpkey -algorithm RSA -out client.key
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Certificates can be verified using:
openssl verify -CAfile ca.crt server.crt client.crt
To add to the discussion, should we look into creating a Root CA and then intermediate CA(s) separately for optimizing security? This is because if a Root CA is compromised, we have to re-install it on every endpoint. This way the root CA is "offline" more, lessening the chance of being compromised. If the intermediate CA is compromised, we can revoke its certificates and replace it easily, and the Root CA is still intact ready to issue trust to the new intermediate CA again. A meatshield if you will.
Related tasks: https://github.com/SecurityLogMiner/log-collection-client/issues/23