views:

30

answers:

1

Does anyone know of a project / product that has standardized how to access/download x509/SSL certificates over HTTP? I have seen RFC 4387 but haven't found anyone who implements it. Basically, I am trying to setup a key server for an internal application.

So short of implementing my own, does anyone have any suggestions?

+1  A: 

That is the only "standard" for an HTTP-accessible certificate repository, but I've never seen it implemented. Most CAs that provide an HTTP repository do not use a standard, machine-accessible interface. For example, Verisign provides a certificate repository for certificates it issues to US government employees, and makes it accessible through a form-based web application.

For a machine interface, "everyone" uses LDAP. More importantly, while LDAP-enabled clients are common, I've never seen a client application that supported an HTTP interface. What do you plan to do with an HTTP repository?

erickson
The reason why I was looking into HTTP was because LDAP connectivity is not availible in the environment I work in. Its all custom code so I'm not worried about client support and was wondering if there were any standard server solutions. (I'm leaning towards a simple apache directory listing to do this).
chotchki
As for what I am planning to use it for, we have multiple clients that connect through a http server (but never directly to each other). So I was looking at this as a way to distribute their certificates to each other without having to design a huge new process.
chotchki
@chotchki - A lot of RFC 4387 (and LDAP) is about supporting search functions. If you don't need search, you could definitely get by with something a lot simpler. But applications like an email client where you want to send an encrypted email to someone you haven't corresponded with before really benefit from search. In other applications, like talking HTTPS, certificate exchange is built into the protocol.
erickson
As an update I am going to take the simple http directory listing approach since we have no need for search.
chotchki