Dr. Rodney McDuff wrote: [...]
Actually no I didn't. Its not obvious to me how you would do this with the openca OCSP responder.Or did you needed different signing keypairs for each configured CA ?The box has the RAs for 9 CAs on it, each of which are in a hierachy like root --------- CA 1 ----------- CA 1.1 | +------CA 2 ----------- CA 2.1 | + ------CA3 ------------CA 3.1 | +------CA4 -------------CA 4.1 Each CA has issued a OCSP Signing certs with the OSCPSigning attribute.If there is a way to do this by using only 1 openca OCSP responder I would be keen to know it.
It is very simple indeed, just edit the config file and, in the dbms section
list all the 9 CAs sections, like this:
0.ca = @first_ca
1.ca = @second_ca
2.ca = @third_ca
...
8.ca = @eighth_ca
---
Then add the listed CAs (in the config file) by adding:
---
[ first_ca ]
crl_url = file:///crls/crl_01.pem
ca_url = file:///certs/1st_cacert.pem
[ second_ca ]
crl_url = file:///crls/crl_01.pem
ca_url = file:///certs/1st_cacert.pem
[ third_ca ]
crl_url = file:///crls/crl_01.pem
ca_url = file:///certs/1st_cacert.pem
...
[ eighth_ca ]
crl_url = file:///crls/crl_01.pem
ca_url = file:///certs/1st_cacert.pem
---
Obviously some of the CAs data can be downloaded from LDAP and other from
file, it depends on your local configuration. Nevertheless it is very simple.
Let me know if you have problems and/or questions.
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
Tel.: +39 (0)11 564 7081
http://security.polito.it Fax: +39 178 270 2077
Mobile: +39 (0)347 7222 365
Politecnico di Torino (EuroPKI)
Certification Authority Informations:
Authority Access Point http://ca.polito.it
Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html
Certificate Revocation List: http://ca.polito.it/crl02/crl.crl
--o------------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
