[Openca-Users] Re: subordinate CA's

Wed, 12 Sep 2001 13:00:53 -0700 

John Waller wrote:
> 
> Ok, let me explain and see ifyou can help me explicitly.
> 
> I'm creating a ROOT-CA then two subordinate CA's from the ROOT-CA
> 
>             [  ROOT CA ] ------> put in a vault far far away
>                 /        \
>               /            \
> [Internal CA]       [External CA]
>     |                        |
> [User Cert 1]        [Ext. User Cert 1]
> [User Cert 2]        [Ext. User Cert 2]
> ....
> 
> How do I create a subordniate CA certificate?

You simply have to issue a certificate from the ROOT CA with the CA extension
set to true (edit the openssl.cnf file).
 
> You see, I'm using the issueBrowser.bin file you created to generate my broswer
> PKCS#12 certificates and giving them to our designated clients.
> 
> I'm using Apache + mod_ssl to validate the users. The Root CA certificate is
> hashed and placed in the ssl.crt/ directory of our Apache configuration. I want
> to place both the Internal and External CA certificates in the directory rather
> than the Root CA certificate for security sake, so incase one of our
> certificates is comprimised we can just reissue a subset vs. the whole set of
> certs.

You'll always need the root certificate + sub ca certificates to validate
every certificate/signatures/etc... don't be worried about having the root
certificate (or any certificate) public -- certificates are meant to be
public and it is often required to have them publicly available.

Let me be explicit: certificates ARE PUBLIC, while keys are to be protected...
 
> Can you tell me which files / perl scripts in particular I need to be looking
> at?

It depends on the version of openca you are using, if you use a 0.8 pre version
you simply will have to add a new .ext file into the $ca/openssl/extfiles dir
with the right usage for the certificate (CA:TRUE) and require the sub-ca
managers to request the CA's certificate using a PKCS#10 request (not a
browser).

-- 

C'you,

        Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                  [EMAIL PROTECTED]
                                                          [EMAIL PROTECTED]
                                                     [EMAIL PROTECTED]
http://www.openca.org                            Tel.:   +39 (0)59  270  094
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

S/MIME Cryptographic Signature

Reply via email to