ok, this may be a bit misunderstanding formulation, what i mean is:Just to get an understanding of the Cisco Implementation: Whatfor do you need the 2nd RA certificate?
the scep-interface acts like an ra for the scep client ra means in this sense - its a pre-ca-instance and this cert and private/public key is used for the communication between the interface and the scep-client
the signed cert for the client itself is signed by the ca then also the 'ra'-cert has to be signed by this ca...
so the scep client can verfiy the chain
therefore you also just have to check the fingerprint of the ca, since everything gets evaluated against it, in the end
so the trust-chain also works
so - the normal ra-interface usally also gets an cert, thats why i wrote, create an aditional one... but the 'normal' one for the ra/public interface isn't use with the scep-interface
so it would also be possible to use the 'normal' ra certifcate fot the scep-interface too - you just have to set the paths to point there
since both are web-server certs - but i prefer to have an separate certificate for the scep-interface only - but this is a designquestion of your pki
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
