How about the SCEP thing? The SCEP-speaking router would contact the RA to obtain the CA cert and make a request for its own cert. So will the RA sign the cert for the router? and, can the RA just give out the CA's cert to the router?
no, i don't know which kind of router you use, but usally you can tell them if they talk directly to an ca or an ra - so they know there is step between
that means:
the communication beetween the scep-interface and the router/clients whoever uses the scep functionality is secured with the cert for this interface, which is signed by the ca too
the ca is always used to issue certificates - the ones for the ra, as for the route as for the clients - its always the ca who does this
Globally i just need a cert for the SCEP-speaking router and a way to issue certs for the remote access users when they request them. Which should be the "deployment view"? I know I can handle installation and configuration issues, but I just don't see how it all would work altogether.
usaly the whole administrativa is handeld at the ra-level, if one exists so there all the requests will get handeld by one ore more ra-operators even the request for the router - this works quite transparent actually
the ra-operator will see a request, maybe change this an that - than approve it, usally sign with its own cert, so the ca (ca-operator) can later verify who approved the requests
then those approved requests get exported (through an usb-stick, a tape, a disk, whatever) transported to the offline-ca - there you import the data through the node-interface (which actually handels the data export and import between the machines) and than the certificates gets issued there either manually or automatically through the batch system
then all goes backwards - export certs from the ca - import at the ra
when the certs are imported at the ra - they can be fetched by the users and also by the route through scep, of course it is possible that a user requests a cert through scep too - if his client supports this and so on, there are a lot of options, depending on your environment and needs and so on... ;o)
and don't forgett to issue a crl - i think the router at least will need one for proper operation - otherwise it could be difficult for him to decide if a certificate is really still valid or not
of course it is possible that this gets handeld all by one person ;o)
in larger szenarios this gets usaly devided, as there are technicans and people who decide who is allowed to use something - like the vpn-access - are different
greetings dalini
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
