Menu
▾
▴
Re: [Ejbca-develop] Implementation NofM
|
From: Carlos R. <cm...@eu...> - 2017-01-05 18:35:15
|
On Thu, 2017-01-05 at 16:07 -0200, Soluti Quintiliano wrote: > > Hummm...A smartcard or security token + password split between MofN, not great but still simple. > > You probably will have problems with backing this up. > > > > > > If you really need to segregate this, during the install EJBCA allows you to generate the Superadmin cert using a PKCS11 library so you can use a smartcard or token and have the superadmin cert protected. I personally wouldn't do this. Its easier to use the superadmin for initial config and then replace it for the CA operator's cert. > I already have this implemented, but with one soft token and for each CA operator. > > Just out of curiosity, can you share you PKI architecture idea? I've been using EJBCA in large scale for 5 years and haven't had any issue regards limiting access to CA Administration. Using small number of trusted managers allowing only them to make changes on CA's and profiles. Even then, everything is verified from the logs, and, if something unusual or even not authorized happens ( the alarms go on, never happens), and then audited. The idea is to have a CA that need a minimal of 2 administrator's approvals to open CA to create, renew or revoke certificates. > > > []'s > > > Proteja o endereço de email de seus contatos como estou protegendo o seu. > Ao enviar mensagens para mais de um endereço use SEMPRE o > "Cco" (cópia oculta) ou "Bcc" (Blind carbon copy).> > > > > > > > > > Esta mensagem é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equívoco. This message is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure. > > 2017-01-05 15:47 GMT-02:00 Carlos Rodrigues > > <cm...@eu...>: > > Hello, > > > > I don't have HSM device, there no another way to do that? > > > > Regards, > > Carlos Rodrigues > > > > On Thu, 2017-01-05 at 15:05 -0200, Soluti Quintiliano wrote: > > > > > > > > > HI, > > > Out of the box, the easy option is to limit access to EJBCA CA interface through user permissions. You can then storage the AC Admin (Superadmin) certificate inside an HSM and ensure the access to this specific key with MofN. You ll also need to isolate the access to EJBCA's shell server...> > > Att. > > > > > > > > > Proteja o endereço de email de seus contatos como estou protegendo o seu. > > > Ao enviar mensagens para mais de um endereço use SEMPRE o > > > "Cco" (cópia oculta) ou "Bcc" (Blind carbon copy).> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Esta mensagem é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equívoco. This message is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure. > > > > > > 2017-01-05 14:31 GMT-02:00 Carlos Rodrigues > > > > > > <cm...@eu...>: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > I would like to know how to configure EJBCA to requires more than one person to active Certification Authority and prevent to change the CA settings? > > > > > > > > Any one could help me? > > > > > > > > Regards, > > > > Carlos Rodrigues > > > > > > > > On Wed, 2016-12-28 at 14:16 +0000, Carlos Rodrigues wrote: > > > > > Hello, > > > > > > > > > > I need to create one Certification Authority that needs more than one person to open CA to do any CA operation. > > > > > This should be including change CA to set approval settings. > > > > > > > > > > > > > > > Regards, > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > Carlos Rodrigues > > > > > Engenheiro de Software Sénior> > > > > Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 911 926 110> > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > > > > > > > > > _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > -- > > > > > > > > > > > > > > > > > > > > Carlos Rodrigues > > > > Engenheiro de Software Sénior> > > > Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 911 926 110> > > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > -- > > > > > > > > > > Carlos Rodrigues > > Engenheiro de Software Sénior> > Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 911 926 110> > -- Carlos Rodrigues Engenheiro de Software Sénior Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 911 926 110 |
