Greetings Alexey, To understand the concept of CA hierarchies I would suggest a review of the Secure Electronic Transactions (SET) specification. That protocol is supported by a relatively deep CA hierarchy (4 levels of CA from the root CA to the service level CAs).
Though not a standard CA in terms of hierarchy chaining and root forward chaining, it still illustrates the use of a multi-tiered hierarchy. For single-application (CA (hierarchy) as a matter of regular use, it is better practice to generate a root CA and keep it off-line. The root signs a "subordinate" CA that actually signs end-user certificates. There are several advantages to this scheme. It is very scalable and can be managed in a distributed CA environment (multiple subordinate CAs all chaining to a single root), a method of providing contingencies in the event that a subordinate fails (just generate a new subordinate), subordinate CA management through the expiration management of its certificate (without impacting the expiration of the root or its hierarchy) and others. IIRC, there are descriptions of the concept and guiding standards for deployment in ISO 9564. Please let me know if there are any questions about it. Best regards, Bill Alexey Chetroi wrote: > Hello, > > I'm a newbie to openca, so sorry in advance for > the dumb questions :) > > I'm playing around with openca, wanting to setup some > kind of CA, which would include 2 machines: one for CA and > another one for RA and PUB components. But a bit confused > by a --with-hierarchy-level configure option. What it should > be for a CA machine and RA machine. > For test setup I install openca in different directories with > apache configured for virtual servers on different ip addreses. > > PS: could somebody advice links for newbies in CA? ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
