If you mean the following then it is ok ...
Install RAserver and Public-GW like normal but running only one httpd.
If you want to create a new RAServer-cert you change the ScriptAlias,
DocumentRoot etc. in the httpd.conf and the DBI.conf is the same on the
CA, RAServer and Public-GW.
I'm not really understand why you do this. You can use on the CA a
normal httpd where you can use virtual hosts. This is much easier then
to change the httpd but f cause you must create only two requests/certs
- one for the first RAServer and one for the first RA Operator.
Hm. I think I'm getting confused with the process. What I'm trying to follow is this recommendation from INSTALL-0.8:
In order to use the CA the RA operators need to be given their own
certificates signed by this new Certificate Authority.
These certificates are imported into their web browsers and act as a means of
identifying them to the CA server.
Note that it is recommended that you issue all RA operator and any RA server
certificates manually using a script on the CA server. This ensures that the
private keys for these certs are kept on the CA server and are not even available
to the RA Operators (only the CA owner has access to these keys).
I'm also trying to figure out what you meant by this earlier mechanism:
1. install the RAServer/Public-GW on the CA-machine too
2. reconfigure the Public-GW so that the Public-GW write the requests
direct into the CA-DBs
3. approve the request on the CA
4. export the certs from the CA
5. reconfigure the RAserver/Public-GW to use their own databases
I'd like to set up the system in the way you recommend, but I'm not sure what that way is :-). From my reading of the docs, this is what I understand I need:
RAserver machine:
CA machine, without network:
My reading of your steps 1-5 was to install RAserver/public-gw onto the CA box, solely for the purpose of issuing RA certs (since the CA is supposed to stay offnet), and manipulate the DBI.conf so that they pointed to the database used by the CA (step 2)..
--bob
