Hello Simon, I am copying this to the list as it may be useful to other new users.
> > I'm new to OpenCA but I'm trying to create two different certificates per > user like you've done. Can you just spent some time explain me how it is > possible with OpenCA? Unfortunatly I didn't undestand exactly how it works > so I'm going round and round without a solution ;) > OK first off certificate profiles are stored at the CA, there are two important file types the conf and ext. They are in /usr/local/OpenCA/openca/etc/openssl/openssl and ../openssl/extfiles. These files describe the certificate and the certificate extensions. So you can change things like cert life time and CRL distribution points by manipulating these files. Now to create a new certificate type you go the CA screens and find the menu option "Confiuration" and then "Roles", adda new role and give it a name. Now export the CA configuration to your RA. You will now find that you have another certificate type for the user to choose when they request a cert. By default the new role will have the same details as the User cert. If you want to change things then you need to edit the ".ext" files. If you want a signing and authentication only cert then you need to mod the keyusage line to: keyUsage = nonRepudiation, digitalSignature if you want an encryption only cert then this line must read: keyUsage = keyEncipherment What you will find is that by default all three options are enabled and it is question of deleting the ones you don't want. I hope this helps. Chris... PS I have worked out how to only publish the encryption certs to the directory now, so if you want to know how to hack the right library then drop me a line. C ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
