Re: Renewing DCM cert

Hello Larry,

Am 18.01.2022 um 14:50 schrieb Larry DrFranken Bolhuis <midrange@xxxxxxxxxxxx>:

While I agree that things are changing quickly it does effectively make it impossible to keep valid certificates on everything such as HMCs and Network switches and Fiber Switches and Web servers and VTLs and and and.....

This is more of a structural problem. The only major vendor who came up with a standard way to distribute renewed certificates automatically is Microsoft, within their Active Directory world. No AD member, no cert.

Although there are "official" standard protocols to automate certificate distribution, they have not seen widespread implementation in the list of devices you mention.

https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol

https://en.wikipedia.org/wiki/Enrollment_over_Secure_Transport

https://en.wikipedia.org/wiki/Certificate_Management_Protocol

https://en.wikipedia.org/wiki/Certificate_Management_over_CMS

And that trains us to instinctively ignore those 'this site is insecure' messages as a matter of course, and just accept whatever self signed thing is on the device, despite it being old and expired.

I guarantee I continue past that message fifty times a day, every day!

So while the logic is good, I'm not sure the end effect is as positive to security as intended.

You nailed it! And why? Because again of ignorant vendors, requiring manual labor to implement corporate CA signed certs. And yes, this *includes* IBM. Given the fact that we're talking merely about copying two files over (Key and Cert PEM files) and telling the TLS library — being linked against whatever is to use the certificates — to now use these files instead of some defaults, it's really a shame how big and large scale the industry fails. For years, and apparently for years to come.

:wq! PoC