CLEYET-MARREL Benjamin schrieb: > > a local registration authority (LRA) is in charge of typing the users > information on the "pub" IHM interface. > the keys (private and public) are generated on either the LRA client host > or the central RA server. > depending on user choice. > for a signing certificate it will be done on the LRA and for a > authentification / crypting certificat it will be done on the RA so that it > can be backuped for renewal purpose. > (i made the difference by mapping the basic request and IE/Netscape Request > to authentification / signing request).
You can renew every request which you have in your database. So it is senseless to use basic request or any other request only for this reason. You only need the request to renew the request. You don't need the private key. If you want to backup the private key for keyrecovery then you must only backup the keys for encryption and not the keys for authentification and signing but the difference is only made by the extensions. Ok, we have one request generated by basic request on RA itself and one generated by IE/Netscape on the LRA. > The certificate are then distributed on a "smart card" and the PIN is at the > moment distributed by e-mail > (they should soon be distributed "on paper" if i manage to make the RA to > do it!!) > > therefor and with this architecture my main problem is that the LRA is > typing everything including the PIN number > i don't want this. that's why i would be great if the PIN was generated > automatically by the RA sent by mail and then written to the "smart card". The PIN of the card must be set on the LRA because you use the card to generate the signing key. This PIN has nothing to do with OpenCAs PIN. The PIN of the key which is generated on the RA is only important for the import. If your user want to import a PKCS#12-file which is generated by OpenCA then he enter the PIN for his card and after this he enter the passphrase for the PKCS#12-file which should be different for security reasons. So there is no need to reduce the PIN-length. Nevertheless you can change the PIN-length. There is an option MinPinLength in our configurationfiles (OPENCADIR/etc/servers/*.conf). Best regards, Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
