Hi all
I have some questions, some of them directly concern OpenCA, some other are about PKI in general.
1) If I update a CA certificate (new key pair) after 70% of the old CA certificate's lifetime, I must still be able to use the old CA private key for signing CRLs for the certificates signed with the old key, because these users suppose to find a CRL signed with the same key than their certificate (I hope this is correct).
Does openCA provide (or will provide) any functionality to choose between several CA keys?
2) In the same field: Do I have to change the name of the CRL (or the CDP) in the certificates I sign with the new CA private key to not conflict with the old CRL? (I think yes, but may be there is another solution here)
3) As users need to get the old CA certificate too to verify certificates signed with the old CA private key, they must be able to retrieve as well the new as the new certificate from the public interface. Does openCA offer any possibility to choose between 2 different CA certificates? (may be this choice should be possible as long as 2 or more valid CA certificates are found in the database)
4)I want to define several Sub-CAs, one for each type of certificate I want to issue (example: 1 Sub-CA for issuning ssl certificates only, 1 for issuning S/MIME certificates ...). So I thought to define an extendedKeyUsage in these SubCA certificates (for the SSL Sub-CA set extendedKeyUsage to clientAuth and ServerAuth, for the S/MIME Sub-CA set extendedKeyUsage to emailProtection) and then issue user certificates with this extendedKeyUsage only. So my question is: is there someone who thinks that his is a bad idea or does this seem ok?
5) Is there a special reason why none of the templates for certificates that are defined in openCA does contain a critical key usage field (for example the Web-Server keyusage extensions are keyEncipherment and dataEncipherment but are not critical to restrict the usage to this usages)?
6) Is there a place on the Web wher I can find the OIDs for all existing key usage and extended key usage values?
Thanx for any comments
Pierre
_________________________
Pierre Scholtes
Unicible
tel: +41 (0)21 644 6111
fax: +41 (0)21 644 6300
mailto:[EMAIL PROTECTED]
http://www.unicible.ch
