Re: [Openca-Users] SCEP and Enterasys VPN Router

[Teo Romera]

El lun, 01-03-2004 a las 16:25, Michael Bell escribi�:
> Teo Romera wrote:
> > Hi all:
> > 
> > I am trying to set up a remote access service to a local network with an
> > Enterasys VPN router. I want to use IPsec for the tunneling and
> > certificates for user authentication.
> > 
> > The VPN router needs the CA to 'speak' SCEP to obtain it's own
> > certificate and the CA's certificate. So i need OpenCA with SCEP support
> > and that is why i am using the latest snapshot.
> > 
> > In fact, I guess that the ideal setup would be just one machine which
> > makes certificates for itself, the router and the clients and is
> > accesible to the router via SCEP.
> > 
> > Now my questions.
> > 
> > First of all, do you think this is possible? I am quite a newbie and I
> > am not pretty sure of what I do.
> 
> Yes, it's possible.
> 
> > If I do not want to use the CA for any other kind of service, do I still
> > need two servers (RA and CA)?
> 
> Yes, because the CA key should never be online. If you misconfigured 
> your router one time then don't know what is with your CA if the key is 
> online.

Ok, so I need two servers. One as a CA wich should be offline and the RA
wich should be online. By the way, what is the difference between an RA
server and the thing that is called public PKI server in the
documentation?

RA, CA, public PKI server... I still do not know which of those i need.
Should I choose make-offline for one of my servers and make-online for
the other?

Will the offline CA be the root CA? If so, it will sign his own cert and
the RA's cert, is that it? I have seen it in "1.1.4.2. Signed by another
CA"

 The RA will be accessed by users to make cert requests via http or
https. If an user makes a request... how is it approved? Does the RA
sing it? If it does, it should use its own cert to sing the new cert.
What is the point of the other CA server then? If the RA does not sign
the new certificates itself... then the CA should do it. How does the CA
sing the new certificates if it is offline? Should I physically take the
request to te CA, make it sing them and take back the new certs to the
RA for the users to retrieve their certs?

How about the SCEP thing? The SCEP-speaking router would contact the RA
to obtain the CA cert and make a request for its own cert. So will the
RA sign the cert for the router? and, can the RA just give out the CA's
cert to the router?

> 
> > If using just one machine is possible, should I set it up as a RA or as
> > a CA?
> 
> If you have all interfaces on one computer then the hierarchylevel is 
> irrelevant. I hope you know what a CA and a RA is.

You said i would need two servers, and now you say that i can have all
interfaces in one computer. I don't get that. I thought interfaces where
very close to the server's role and a CA should have always the same
interfaces (ca and node) and the same for a RA (which would always have
ra, ldap, pub, scep and node).

> Michael

As you can see, I lack of a global view of the pki infrastructure that I
should use. Two servers? Just one? If two servers, what should each of
them take care of?

Globally i just need a cert for the SCEP-speaking router and a way to
issue certs for the remote access users when they request them. Which
should be the "deployment view"? I know I can handle installation and
configuration issues, but I just don't see how it all would work
altogether.

TIA
-- 
Teo Romera <[EMAIL PROTECTED]>



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users