Sorry, it seems I perhaps misunderstood. You don't need to have the
CA trust configured to make the initial request, but if that's how
you're doing things, then you'll still need to know in advance what
namespace to request certificates from. Additionally, you'll have to
install the CA public keys and signing policies manually to establish
trust.
Charles
On Sep 11, 2007, at 1:04 PM, Charles Bacon wrote:
On Sep 10, 2007, at 9:31 AM, Olivier Ricou wrote:
I think I remember why I made my own scripts to get a CA and keys.
Can someone explain me why we need a CA to make user or host keys ?
I want grid-cert-request to make the private key and the request,
nothing else. I can understand it may help users to get a message
about sending the right file to the right mail address, but we
should have an option to avoid that.
PKI is based around trust anchors. CAs are these trust anchors.
You are not just getting keys like you use in SSH. You are getting
X.509 certificates. Certificates are signed by their issuer. The
top-level issuer is a certificate authority.
Therefore, a CA is required to get user or host certificates. You
can use an existing one (see Alan Sill's message) or make your own
(using openssl or simpleCA-wrapped openssl), but you can't generate
a certificate without one.
Charles
