Hi,
I wonder if technically, OpenCA supports the installation of a root
CA, several
sub CA and a single HSM (to store all CA keys) onto a single
server. I know,
this kind of architecture is not usual but it is imposed to me.
it would be possible, provided that you install multiple instances
of OpenCA in distinct directories. You will need multiple databases
(may be stored in the same DB instance, of course), one for each
OpenCA instance.
The following is nCipher HSM only, don't know if this is possible with
the other implementations:
A single HSM on the same system can be shared between OpenCA instances,
but in this case all HSM protected keys must reside in the same
"Security World" (nCipher speak).
(The reason is that an nCipher HSM can only be assigned to at maximum
one single Security World at any given moment.)
That means that all these keys will be protected with the same Operator
Card Set.
A Security World can hold as many keys as you like. You could generate
thousands of CA keys (as many as your file system allows) and have
them handled by the same HSM.
cheers
Martin
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
