Closed Bug 1430167 Opened 7 years ago Closed 7 years ago

PKI: coordinate with Kyle Broderson from DigiCert to get example cert from private PKI for testing

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sidler, Assigned: sidler)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6060])

No description provided.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6060]
Assignee: server-ops-webops → sidler
John Bircher Jan 12 (5 days ago) to Kyle, me, Shyam, Greg Kyle, Talked with Scott and Shyam earlier and we figured I should give you a rundown of one particular use-case that I currently have, maybe giving you insight on what we need. In our wireless environment we currently use Aruba ClearPass to authenticate users w/ username and password against LDAP (EAP-PEAP/MSCHAPv2). Moving forward we want to remove the localized LDAP instances. So now we are looking into utilizing EAP-TLS. ClearPass can act as a root CA and issue certs... however since our environment is not federated we come across all kinds of trust issues with a self signed root CA. ClearPass has the ability to act as an intermediate to another CA to issue client certs. It also has the ability to act as a registration authority (via SCEP). In this one particular use-case, we expect to be churning out +/- 3000 client identity certs per year for wireless access. Ideally a solution like your Private PKI (based on asumtions that may [not] be accurate on how it works) could help us do this in a scaleable way that also lets other apps (ie OpenVPN, etc) either use the same certs or at least share the same trust chain. In the long past life... I did something similar to this with VeriSign. They issued us a, publicly signed, private use, licensed, intermediate CA, and from there using products like ISA and ClearPass, we were able to issue client certificates for network access (wired/wireless/vpn), internal web hosts, and various other uses. Let me know if you have any questions and/or if that is something we might be able to do with the DigiCert's Private PKI.
Jared Mensinger Jan 15 (2 days ago) to Kyle, John, Sales, me, Shyam, Greg Hi John, We aren’t permitted to sign a clearpass CA with a publicly trusted root, as that would allow for the issuance of publicly trusted certificates to any common name, IP address, etc., with no visibility by us. The validation standards we are audited against do not allow this. The only way you would be able to acquire client certificates with public trust would be through the cloud. Other Certificate Authorities are audited against the same standards, and I don’t believe there would be any permitted instances where a CA would sign an intermediate CA with a publicly trusted root certificate. Jared Mensinger Sales Engineer DigiCert, Inc. Email: Jared.mensinger@digicert.com Phone: 801-701-9628
Hi John, We can support the SCEP protocol for issuance of both public and private client certificates. In addition, Clearpass recently added support in version 6.6.7 for the authentication method our SCEP implementation uses. Provisioning the certificate via SCEP, we could host a dedicated public or private CA, or we could issue off one of our public CAs—just depending on your requirements. Ken Martin Senior PKI Solutions Architect | IoT and Emerging Markets O: 801 701 9606 | M: 801 362 2442 | ken.martin@digicert.com
We are waiting on NetOps to upgrade ClearPass to 6.6.7 and then we will be able to run some tests and see if the Private PKI provided by DigiCert will work for this case.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.