On 5/26/11 10:59 AM, Alan Sill wrote:
> On May 26, 2011, at 11:51 AM, Lukasz Lacinski wrote:
>
>> I would like to issue user credentials using a MyProxy server, MyProxy
>> CA and PAM. But I would like to avoid adding a certificate of the
>> MyProxy CA to /etc/grid-security/certificates. I am thinking of taking a
>> user credential signed by a IGTF-accredited CA (most of GridFTP servers
>> and client machines should trust that) and use this user credential in
>> MyProxy CA to sign other certificates. Is it possible to omit that way
>> the step of adding the MyProxy CA certificate to
>> /etc/grid-security/certificates?
>
> No: user certificates to not have the proper X509v3 key usage extension
> to allow certificate signing; usually only digital signature, key
> encipherment, and data encipherment are enabled.
Also:
X509v3 Basic Constraints: critical
CA:FALSE
And for good reason: we don't want users to impersonate each other.
> You can add any CA certificate to your server's certificate area, if you
> trust the way that CA is run. If not, you shouldn't be using its
> certificates; if so, what id the problem with adding it in?
>
> Alan
