Am Thu, 12 Mar 2015 19:04:26 +0000 schrieb jeevan kc jeev_biz@hotmail.com:
I followed the below OpenLDAP guide to create CA issued certificate using OpenSSL and was able to enable SSL in the ldap server and applications can connect via ldaps:// port 636. Now I have some questions from the management where this certificate is as safe as the commercial certificates out there. Can someone clarify this? I would appreciate it.
[...]
It seems, the management has only restricted knowledge. Ask your management what is considered a safe commercial certificate. To my understanding, a safe Certification Authority (CA) is safe, as long as the key is stored in an iron safe and not available to the world, while the certificate (CA) has to be available to the world. A X.509 (host or user) certificate, created according ITU-T X.509 and signed with your CA, is secure, if it meets todays agreed security measurements i.e.
- use a 2048 bit RSA or a 256 bit ECDSA private key - secure the host and user private keys - use elliptic curve cryptography for transport security
you may want to read https://www.feistyduck.com/books/openssl-cookbook/
-Dieter