We have two custom-made PKI services which I built with the OpenSSL tool chain: one is used for creating X.509 certificates for use in SSL/TLS communication and S/MIME e-mail messages, and the second is dedicated to issuing certificates for routers using the SCEP protocol. These PKI infrastructures are separate because they have nothing to do with each other. This week I’ve spent some time tweaking little bits and pieces that weren’t quite right:

  • Router enrollment in our OpenSCEP installation has been done manually in the past. To lower administration overhead I’ve implemented automatic enrollment when a new router comes up, as well as automatic revocation and renewal when a router’s certificate is close to expiration date. First tests have been successful, and I’m putting this live as we speak.
  • The X.509 certificates for our S/MIME users have to be imported into a Lotus Notes directory so that clients can use them when encrypting e-mail to a PKI user. Because this PKI is non-Lotus Domino (i.e. the certificates are not created from within a Domino environment) I’ve had to do some messy stuff to import them into a names.nsf on the client. This messy stuff includes adding the certificates via LDAP and then copying them over with a bit of LotusScript.
  • Our OpenLDAP directory contains the issued certificates for users (in the userCertificate attribute type of the inetOrgPerson object class). When I implemented that a number of years ago, I “forgot” to implement certificate renewals and revocation. This meant, that when a certificate was revoked it wasn’t removed from the directory (not tragic but ugly), and when a certificate for a user was renewed it wasn’t replaced in the directory (ugly and tragic). I hope that is a thing of the past, now.

This has been a bit of a “hacking” week (fun for a change :-) ) I’ve used C, Perl, LotusScript, and Bourne shell for the lot.

LDAP, DomiNotes, and Security :: 12 Feb 2009 :: e-mail