[Swan] Moving host certificates from where they were created to where they will be used
Paul Wouters
paul at nohats.ca
Sat Oct 28 04:02:37 EEST 2023
On Fri, 27 Oct 2023, William Atwood wrote:
> I have one host that I will use to contain the CA, called Tarjan.
>
> I have 10 other hosts, which will be members of the group overseen by this
> CA. One of these is Perlis.
>
> Tarjan first creates a Certificate Authority.
>
> Tarjan (as CA) then creates a certificate for itself (as host).
As long as the CA Common Name is not identical to the host Common Name
certificate.
> Detailed instructions are given for exporting the CA certificate from Tarjan,
> either as a .p12 file or as a .crt file, and then installing it in NSS on
> Perlis.
>
> However, I can find no example of exporting a host certificate from NSS on
> Tarjan to copy into NSS on Perlis.
Why would you want to do that?
You can generate all the certificates and keys on Tarjan, then create
pkcs#12 exports for the 10 hosts, and import those p12 files on each
host. That would be the common way of doing this. You _could_ go the way
of doing a CSR on each host and copying that to the Tarjan CA to sign,
but that seems overly complicated for this use case.
> Clearly, I could import the .p12 file for the CA, including the private key,
> and then Perlis could then generate its own host certificate, by pretending
> to be the CA, but this seems very undesirable from a security perspective.
no need to do that.
Paul
More information about the Swan
mailing list