Current Best Practices

Started by JamesFrisch, May 16, 2025, 02:55:05 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
May 20, 2025, 02:27:30 PM #15
For KPI I did create a CA on a VM, created intermediate + certs. Then powered off. Obviously internal only. That was a few years ago.
I have toyed with the idea of using OPN instead when the time to renew comes along. It seems a neat piece of functionality to have there.
May 20, 2025, 08:31:17 PM #16
AFAIK, the prerequisite for DNS registration of STATIC mappings are:
* Unbound config to register
* Some DHCP server enabled
* Static entries defined for that server
* Static entries feature a hostname (if the domain name is empty, the OPN domain name is used)
* Unbound restarted after static entry update
I think I've seen a thread wrt entries not being picked up until the host requests the IP but I don't understand why it would be the case (given my understanding of the integration).

For PKI, I was referring to this in the OP:
QuoteBut for internal stuff, I am using self-signed certs (intermediate CA)
.
I was wondering what that meant. OPN? CA software on premises? something else?
May 20, 2025, 08:32:33 PM #17
Quote from: cookiemonster on May 20, 2025, 02:27:30 PMFor KPI I did create a CA on a VM, created intermediate + certs. Then powered off. Obviously internal only. That was a few years ago.
I have toyed with the idea of using OPN instead when the time to renew comes along. It seems a neat piece of functionality to have there.
Can you share the software used in that VM?
May 20, 2025, 09:06:58 PM #18
Most likely openssl.
Hardware:
DEC740
Today at 12:24:42 AM #19
Yes that's right, openssl.
The specific resource I always resort to when in doubt is https://www.feistyduck.com/library/openssl-cookbook/online/
For your own PKI is the chapter, and without OCSP so there is no need for OCSP responders. Feistyduck is my first go-to for all openssl doubts I have. Keep it in your pocket :)
Print
Go Up Pages 1 2
User actions