Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Building a Robust Linux Security Solution: Page 7 of 15

WEB PKI: OPENCA, SSL, AND LDAP

There is no reason why you can’t take advantage of a PKI-based solution to address your authentication and authorization problems. For example, if a number of your business partners need access to an extranet Web server in the company’s Demilitarized Zone (DMZ), you can set up a small Registration Authority (RA) server to accept requests to sign X.509 public key certificates and a Certification Authority (CA) to process the requests and sign the certificates.

Both Netscape Navigator and Microsoft Internet Explorer currently support X.509 certificates, and there are free Linux implementations of RA, CA, and Lightweight Directory Access Protocol (LDAP) servers.

Based in Europe and boasting developers scattered worldwide, the OpenCA Project (
www.openca.org
) was born from the need for an open-source toolkit for rapid deployment of all the elements necessary for a PKI.

The first building block of a Web PKI is a standard Web browser that lets users request a certificate from an RA. The OpenRA is implemented as a set of CGI scripts written in Perl and hosted on a secure Web server. The OpenCA team looked to the proven Apache Web server, adding standard Secure Sockets Layer (SSL) support to it to ensure the privacy of the certificate requests. As soon as the RA receives a certificate-signing request, it queues it for the CA, which is typically kept offline for security reasons. Once the CA signs the request and issues the certificate, the browser can once again visit the RA and load the certificate to the browser’s local cache.