On Sep 10, 2007, at 9:31 AM, Olivier Ricou wrote:
I think I remember why I made my own scripts to get a CA and keys.
Can someone explain me why we need a CA to make user or host keys ?
I want grid-cert-request to make the private key and the request,
nothing else. I can understand it may help users to get a message
about sending the right file to the right mail address, but we
should have an option to avoid that.
PKI is based around trust anchors. CAs are these trust anchors. You
are not just getting keys like you use in SSH. You are getting X.509
certificates. Certificates are signed by their issuer. The top-
level issuer is a certificate authority.
Therefore, a CA is required to get user or host certificates. You
can use an existing one (see Alan Sill's message) or make your own
(using openssl or simpleCA-wrapped openssl), but you can't generate a
certificate without one.
Charles
