Secure network

Michael Gale michael.gale at utilitran.com
Wed Feb 11 21:02:11 CET 2004


What ? so I have a internal CA ... the web server only trust this CA. All
clients which require access have to have a cert signed by the CA.

Now you are saying that is someone steals the private key they can sign certs.
If someone has this type of access .. I think that having my stolen private key
would not be the only problem ?

So how is this different then using a trusted CA ? I am not self signing my
certs. I have a CA set up inside and the web server cert is signed by that CA.

Sure the internal clients have to import a cert signed by it and import the CA
into their browsers.

But once that CA is imported how is it less secure a verisign signed cert ?

If a web server is only being accessed by company a few employes to view system
status and monitoring. Paying for a cert signed by a "trusted CA" is not worth
it.

Why don't we just suggest that nagios only be viewable over a VPN connection ?

Michael.


On Wed, 11 Feb 2004 13:43:18 -0600
jeff vier <jeff.vier at tradingtechnologies.com> wrote:

> On Wed, 2004-02-11 at 11:40, Michael Gale wrote:
> > So in order for internal users to have access to the site they have to
> > import a cert signed by the CA I have in the office. 
> 
> or a cert signed by the CA with the stolen private key.
> 
> "self-signed" certs are not considered truly secure.  That's what Trusted CAs
> are for.
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list