Hi all, appreciate any advice. I currently have numerous OpenBSD devices acting as FW/routers, all happily taking to each other with IPSec using ipv4 publickeys.
I'm now ready to dive into the world of Road Warriors using OSX and Windows. As far as I can tell, I'm pretty much forced to use an x509 certificate structure, as copying around pubkeys is already getting annoying. In addition, OSX and Windows seem to have some choices and structure in place for signed certs and not much else that is easily configured. 1) Would you gurus suggest running my own CA, or using cacert.org? I'm not scared of rolling my own structure, but I also appreciate what cacert.org is trying to accomplish in the world of Verisign, etc. 2) If I roll my own, from a security standpoint, should my CA be a separate device, dedicated only to being a CA? What are the security ramifications of using an existing device (one of my OpenBSD firewalls) as the CA, or is it technically impossible (see 3) below)? 3) If I roll my own, from a technical standpoint, does my CA need to be a unique and separate device, ie is it required to be a third party in isakmpd negotiations? Thanks, Scott Learmonth
