Client Certs

Hi Bigstar


I distributed the last beta version to some co-workers to evaluate. Turns out some of them want to use the site manager anyway.

Though today they encountered a serious problem.
They had made a list with some servers (in the site manager). But typically a cert is not very long lived.
So it's normal that they are only valid for 3 months for example, obviously for security reasons.

Now the guys that had made a list in the site manager had the following problem:

Today we received a new cert from our administration service cause the old ones were about to expire. After they imported the new cert and deleted the old cert, all the sites need to have a re-set of the cert :s
The common name was exactly the same though.

This is a huge problem, cause this means that every 3 months they have to set all certs again on every site. There should be an update method, or even better just a question on import when the common name is identical: Do you want to replace this cert with the new one ? And than obviously set the new one in place of the old one on all sites.

Could you fix this ? Cause the whole concept of the site manager is a bit lost otherwise with client certs.


Kind regards
JGO

I think maybe adding a replace certificate option might be one way of handling this. It's very possible to have multiple certs with the same common name and use each one on a different ftp server without issues.

Each certificate is stored and paired to a site based on a hash key.

I'll really have to think about this. Surprisingly this has never come up before.

Well I see a couple of possibilities here:

• I assume that internally you're using an ID already anyway which can remember the exact cert.
  
  So you can make an extra right click option when you click on an existing cert: "Replace"
  This can come between export and delete. This will allow to replace an existing cert.
  
  Supplementary you could do an extra check ,if on import it's the same common name (perhaps with also same OU) that you ask if the user wants to add or wants to replace an existing cert.
  
  
• Another way of dealing with this is with some kind of SLOTS. The user can add slot #1 than load a cert into it. Than he could create SLOT#2 and put another cert into that, etc etc.
  If a new cert arrives, he just goes to the appropiate slot and replaces that cert.

Let me know what you think of this.


I think not so many windows users use this already for client authentication. Using certs on linux is more common. But most of unix users, use command line clients. We use windows machines to manage our linux and windows servers. We are also a security company. If users were aware how easy it is to steal passwords even with SSL enabled, I bet they would use all client certs for authentication. I can assure you that passwords can be stolen pretty easely.


Kind regards
JGO

Any news for a replace cert option ?

Yes we will be adding a replace feature to the next release, It'll be available probably sometime next month.

Ok that is great to hear ! Thanks a lot

This features are currently available in the latest private beta release, Contact me via private message if you'd like to participate in our private beta tests.