On May 26, 2011, at 11:51 AM, Lukasz Lacinski wrote:
I would like to issue user credentials using a MyProxy server, MyProxy
CA and PAM. But I would like to avoid adding a certificate of the
MyProxy CA to /etc/grid-security/certificates. I am thinking of
taking a
user credential signed by a IGTF-accredited CA (most of GridFTP
servers
and client machines should trust that) and use this user credential in
MyProxy CA to sign other certificates. Is it possible to omit that way
the step of adding the MyProxy CA certificate to
/etc/grid-security/certificates?
No: user certificates to not have the proper X509v3 key usage
extension to allow certificate signing; usually only digital
signature, key encipherment, and data encipherment are enabled.
You can add any CA certificate to your server's certificate area, if
you trust the way that CA is run. If not, you shouldn't be using its
certificates; if so, what id the problem with adding it in?
Alan
