Hey guys, I'm looking for recommendations on the best free and open-source solution to issue and manage client certificates in an enterprise Linux environment. We currently have certbot configured, but I'm considering options like step-ca. With over 400 clients, what's the best approach? Any advice would be greatly appreciated!
5 Answers
I've done some digging into this myself, but on a smaller scale. FreeIPA and step-ca are often recommended choices among self-hosting enthusiasts. For now, I've been managing my own certs with OpenSSL commands, but it can be tedious, and I'm worried about missing expiry dates.
If you're looking for something straightforward without all the bells and whistles, OpenSSL might be sufficient. You can create root CA certs and manage CSRs. Consider orchestrating things with Ansible for better management. Also, bear in mind that Certbot relies on Let's Encrypt; are you okay sticking with them long term?
It's important to clarify what you're trying to authenticate with certificates. For OpenSSH, you'd need a PKI that supports their cert authentication since it doesn't use standard X.509 certs. That said, if you're doing mutual TLS with X.509, that should work fine.
Since you're already using step-ca, sticking with it sounds like a practical choice. It should fit well with your current setup!
If you have a solid configuration management setup, FreeIPA could handle your needs for distributing client certs effectively. Your question is a bit broad, which makes it tough to give a specific answer, but for just distributing certs, FreeIPA is a solid choice.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures