[Fed-Talk] PKI
[Fed-Talk] PKI
- Subject: [Fed-Talk] PKI
- From: Joshua Krage <email@hidden>
- Date: Wed, 14 May 2008 19:58:01 -0400
A couple of PKI-related questions for y'all.
(a) What is the "Apple" way to get a certificate into the keychain
from an enterprise directory, e.g. LDAP? In an enterprise operating
its own CA. At present the only method we can discern is manual
import via files, or import via Mail by receiving a signed email. An
employee developed an in-house tool to do the LDAP query and stuff the
resulting certificate into the keychain. This isn't well integrated
and requires yet another application to do a basic function. I'd love
to see Address Book or something similar incorporate this. Its
annoying to start a Mail message, have to stop to get the certificate,
and start up again.
(b) Once a keychain is populated with certificates, has anyone written
a script to eliminate superseded certificates? If I receive a signed
message, the certificate (if included) is added to my keychain which
is lovely. Between this and adding certificates through the manual
means, the keychain can end up with multiple certificates for the same
target. These are not expired or revoked certificates, merely updates
to the current reference certificate. Not all organizations enforce
the single reference certificate model with all others in the CRL. In
many cases, the end user only needs the most recent certificate for
the same target. Right now, this is per-keychain manual process. Has
anyone automated this cleanup? e.g. find all certificates matching
the primary attributes, remove older versions.
Even better, a solution that solves (a) and incorporates (b),
populating the keychain with the reference directory copy and
eliminating the ones. For extra points, allow a choice between taking
no action and removing the certificate when a matching entry or
certificate cannot be found in the directory.
--
-----------------------------------------------------------------
email@hidden, CISSP
NASA GSFC Associate CIO for Information Security
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden