first, I'm not a pki- nor a OpenCA-guru. But I think, I can give you some answers:
> 1. While defining custom certificate profiles (using Openssl extfiles I > presume) does it have > the ability to include the appropriate key usages and exteded key usages.
Your assumption is correct - you have the complete control over the extfiles. Each existing extfile is referenced by a role and you can easyly define new roles - but then you must manually generate the appropriate new extfile (and *.conf-file).
> 2. Does this solution have the ability to include Basic constraints for > certificates.
All you can do with openssl you can do with openca.
> 3. Are there appropriate APIs availabe to interface with other applications
> and to customize
> the functions of the CA.? (preferable the automatic enrollment process)
There is no API in sese of library functions. But there are batchprocessors available which are feeded by text files. Thus you can attach p.e. your ERP system to OpenCA for automatically generate hundereds of certificates.
> 4. Does it have the capability for bulk issuance and/or bulk revocation of
> certificates?
I'm not shure if I'm right, but I think, there are batchprocessors for nearly all kind of normally manual used function.
> 5. Support for multiple character sets (for international languages)?
Concerning the web frontend: Yes and no. You can choose out of some languages on installation (and with a little bit of luck it works...), but there is no multi language capability (in sense of: depending of browser language request) nor capability of chinese et al.
> 6. Ability to publish certificates to a directory whenever a certificate is
> issued or all certificates issued.
> (Also can OpenCA integrate with directory server like I-Planet)
Yes. LDAP. I think, I-Planet works - but search the list...
> 7. CRL related > 7.1 Ability to configure the frequency and validity period of CRL
Yes - it's OpenSSL-stuff...
> 7.2 Ability to support CRL Distribution points
Yes - it's OpenSSL-stuff...
> 7.3 Ability to force generation of a CRL on an ad-hoc basis
I don't understand what you mean. Perhaps it's the following: I think you can use a batchprocessor for generating p.e. every first day of month a new crl.
> 7.4 Can it support large CRL sizes? Is there a limitation for the > number of revoked certificates that may apprear of the CRL.
Differential or incremental crl's are not supported. And I don't know about some plans in this direction...
> 8. Does OpenCA support suspension and revocation of certificates also?
Yes. On revocation on RA a certificate is suspended and whith the issuing of the revocateion on CA it is revoced.
> 9. I have seen that OpenCA packages in a OCSP daemon. Have a few questions
> regarding that.
> 9.1 Are all the OCSP responses signed. (requests/responses over
> SSLv3) ??
> 9.2 Are they capable of handling around 100 validations/min
> without affecting system performance.
> 9.3 Can the OCSP signing key be a separate set of keys/certificates
> used for signing requests/responses and OCSP server SSL
> and can these keys be generated and operated within
> an HSM that is FIPS 140-2 Level 3 compliant.
I don't have any experience with OSCP. Perhaps you search the list for that topic ;-)
> 10. Scalability and Performance of OpenCA (Maximum number of certificates > which can be issued and the issuance rate e.g. 10 certs/min)
There was recently (summer this year) a thread on the list. I think, somebody has published detailed data.
> 11. Can OpenCA support distributed RAs / distribued servers to handle large
> capacity loads.? If this supports multiple levels of CAs and RAs
> then is there a limitation for the depth of these levels.
Out of the box: definitly not! And from security point of view I think it isn't a good idea... Better use bigger servers - with some work (you need Apache, OpenSSL, Perl and some gnu utilities) OpenCA should installable and runable on nearly every unix like system.
I hope this helps...
Regards, Gottfried
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
