> Hi Michael's :) > > so I suggest the following.... > > The dataexchange will split up into two parts - first > packaging all data into an archive to export the stuff from > the CA (no network connection) to a "batch roll-out maschine" > (can be the RA) > For this step I will create a directory structure > "userid/processid/" in the dataexchange tree and put all > relevant data (plain certs, pkcs12 key files, etc.) there > The whole tree for ALL users is put into a tar when runing an > export request, so we receive an archive like this: > > dataexchange/ > oliwel/ > batch05/ > cert25.pem > privatekey.p12 > cabundle.crt > michael > batch06/ > cert26.pem > privatekey.p12 > cabundle.crt > > The RA side can now unpack the stuff and do the rollout - as > this is differnt for every environment, I think about > building a generic > "provider" that does the rollout via the RA Interface > > Make your beds ppls - I will start after lunch ;)
In my environment (Dual_Key-Usage) I want to enroll the p12 and PIN via encrypted e-mail using the public_key of an already issued "Signature" certifcate. I have done this already with a little perl-script, which builds a Mime-Message with the p12-Attachment and the PIN, then using "openssl smime -encrypt ..." to encrypt the whole message-structure. Unfortunatley I am not in the office this week, otherwise i would post the script to openca-devel for comments. The encrypted email can be transported via dataexchange and email without any security concerns. Regards Michael ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
