Hello Larry,
Am 18.01.2022 um 14:50 schrieb Larry DrFranken Bolhuis <midrange@xxxxxxxxxxxx>:
While I agree that things are changing quickly it does effectively make it impossible to keep valid certificates on everything such as HMCs and Network switches and Fiber Switches and Web servers and VTLs and and and.....
This is more of a structural problem. The only major vendor who came up with a standard way to distribute renewed certificates automatically is Microsoft, within their Active Directory world. No AD member, no cert.
Although there are "official" standard protocols to automate certificate distribution, they have not seen widespread implementation in the list of devices you mention.
https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol
https://en.wikipedia.org/wiki/Enrollment_over_Secure_Transport
https://en.wikipedia.org/wiki/Certificate_Management_Protocol
https://en.wikipedia.org/wiki/Certificate_Management_over_CMS
And that trains us to instinctively ignore those 'this site is insecure' messages as a matter of course, and just accept whatever self signed thing is on the device, despite it being old and expired.
I guarantee I continue past that message fifty times a day, every day!
So while the logic is good, I'm not sure the end effect is as positive to security as intended.
You nailed it! And why? Because again of ignorant vendors, requiring manual labor to implement corporate CA signed certs. And yes, this *includes* IBM. Given the fact that we're talking merely about copying two files over (Key and Cert PEM files) and telling the TLS library — being linked against whatever is to use the certificates — to now use these files instead of some defaults, it's really a shame how big and large scale the industry fails. For years, and apparently for years to come.
:wq! PoC
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.