I am new to the wonderful world of PKI and X.509 but after tons ofThats not so unusual :)
reading I have more questions then answers.
I haven't been able to get OpenCA to work yet either! Checked out this: http://www.openca.org/openca/docs/ ?
But this is the only one that makes sense - if you use one certificate for all maschines and this one gets stolen you have a security breach in ALL IPSec devicesWhat I am looking at is creating and installing certificates for IPSec devices in a production enviroment.
Generating a uniqe certificate for every device and installing it in a prodcution line will be rather time consuming so I'm trying to figure out what the options are.
Yes - the RA makes a "certificate request" - the signing of the request with the CA's root key will make a certificate out of the request.Must the certificate request generated by RA be signed by the CA before it can be installed into the device?
Its easier to setup a three step process - the device requests a new certificate at the RA, the operator commits the request and signs it on the CA, the device can download the certificate from the RAThe ideal would be if the device can request a certificate from a production site RA/CA and then download it to the device and the CA database is transported to the "real" CA but this requires that the production setup is an exact match to the real CA considering address, CA public key, certificate serials, right?
Is your device capable of generating its keys by its own ? than you should do this and only get the certification from the CA, not the keys - than you have no problem because without the secret key, the certified public one is worthlessUsing the real CA (e.g. request is sent when customer plugs it in) presents a problem since the only thing uniqe is the serial number and then anybody can get a valid certificate as long as they provide a correct serial number.
One idea I have is to install one batch certificate e.g. same pulic key and then the CA would be able to match the certificate with the serial number and complete the certificate, or issue a new one?
No - will not work - you should strongly use one Public key with one certificate. Otherwise you will run in serious trouble !!!
TIA /Stefan
HTH
Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72
smime.p7s
Description: S/MIME Cryptographic Signature
