well, i don't have answer for all your Questions but i can give you some pointers that i know :),
> Beside that I have some further questions regarding other point, still > under the same restriction (hope others will read and reply too): > > b. What about having RBAC on both RA and CA? I guess I might still not got > the point of RBAC! As I understand the doc, it should help big rollouts and > lower the maintanance! > What format does the user-list has to have to import it to RBAC if I want > to have the user have sent their certificates? > Where does any system takes the passwords from or does OpenCA generates > them by itself? RBAC makes sense only when more no. of users having access to one server and we want restrict users previlage depending upon their role. Obviously CA Server ruled out here. Since In a production environment CA Server will be isolated from network(standalone) and run in high secure environment (Physical protection). Only few peoples will have access to the system, unless your PKI is very big and u need more peoples to play the role of CA Operator. So, RA Server is the first place to install RBAC. You can have https with client authentication ( i think, you only sent mail to the list about few days back ) to protect RA Server. If you do so, depending upon your ACL, peoples are allowed to do something in RA Server. We normally use CA Server to define ACL and import it into RA Server. Perhaps micheal and gurus in the list can give us if i give away any wrong procedure. Also i don't understand what you are mentioning about format, user list and password that OpenCA generates by itself :(. Are you talking about client side certificates info that are sent to RA server when you enable RBAC and https with client Auth? > d. How do I prepare my CA for the case my CA-Certificate becomes unvalid, > stolen or etc? Can I have a second certificate that overlaps the time to > create a new certificate, simmilar to a Cross-CA-certificate? If your CA Certificate expired then you are go for renewal. Generating new instance (CA key and Cert) will demands complete revocation of all previously issed certs and starting whole thing from scratch. Obviously this is one that we don't want to do. If you lost your CA private key when say system crashes then you are in big trouble, you can't issue new certificates. But There is a workaround, you can go for SecretSharing scheme to maintain root CA private key backup. But i also don't know, How long we can keep maintain the same CA key and Cert for an PKI. Even in cert renewal we keep use the same key, i guess. (micheal am i wrong here) What is the advisable procedure for regenerating root Key and Cert.? Sorry instead of answers i am keep adding more questions? really don't know. -venki. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
