tags:

views:

30

answers:

1
+1  Q: 

Is there a standard way to run a x509 key server?

Does anyone know of a project / product that has standardized how to access/download x509/SSL certificates over HTTP? I have seen RFC 4387 but haven't found anyone who implements it. Basically, I am trying to setup a key server for an internal application.

So short of implementing my own, does anyone have any suggestions?

+1  A: 

That is the only "standard" for an HTTP-accessible certificate repository, but I've never seen it implemented. Most CAs that provide an HTTP repository do not use a standard, machine-accessible interface. For example, Verisign provides a certificate repository for certificates it issues to US government employees, and makes it accessible through a form-based web application.

For a machine interface, "everyone" uses LDAP. More importantly, while LDAP-enabled clients are common, I've never seen a client application that supported an HTTP interface. What do you plan to do with an HTTP repository?

erickson  2010-06-15 18:49:45
The reason why I was looking into HTTP was because LDAP connectivity is not availible in the environment I work in. Its all custom code so I'm not worried about client support and was wondering if there were any standard server solutions. (I'm leaning towards a simple apache directory listing to do this).
chotchki  2010-06-15 19:32:34
As for what I am planning to use it for, we have multiple clients that connect through a http server (but never directly to each other). So I was looking at this as a way to distribute their certificates to each other without having to design a huge new process.
chotchki  2010-06-15 19:32:53
@chotchki - A lot of RFC 4387 (and LDAP) is about supporting search functions. If you don't need search, you could definitely get by with something a lot simpler. But applications like an email client where you want to send an encrypted email to someone you haven't corresponded with before really benefit from search. In other applications, like talking HTTPS, certificate exchange is built into the protocol.
erickson  2010-06-15 20:12:28
As an update I am going to take the simple http directory listing approach since we have no need for search.
chotchki  2010-06-25 15:11:26

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL