Hi, first of all you should have lots of time to read through some books / internet pages / ... When I started with my PKI I ran over the "OpenSource PKI Book", but I did not read it because I already had some knowledge at that time, but perhaps it will help you: http://ospkibook.sourceforge.net/
Furthermore I would recommend to get some knowledge about the following topics: - hashing algorithms - symmetric encryption / asymmetric = public-private-key encryption - What are certificates? what is x509v3 ? difference of PGP to x509v3 certificates - How can I check the validity of a certificate? how can I trust in a certificate / ca? how can i check the integrity of a certificate? CRL vs. OCSP - some knowledge about crypto analysis could also be helpful if you have to decide which hashing and encrpytion algorithms to use (e.g. known attacks on md5, importance of the key length, ...) - you should also be familiar with Linux and Perl if you want to dig a little bit deeper into OpenCA - ... I used a very good book to get a lot of that knowledge but it is in german and i don't know if it is available in other languages: Wohlmacher, Petra: Digtale Signaturen und Sicherheitsinfrastrukturen - Grundlagen, Sicherheitsaspekte, Realisierungen, Anwendungen; Höhenkirchen: TT Verlag für Informationstechnik GmbH, 2001; ISBN: 3-936052-01-8 Here are some links that could be perhaps helpful for you: A glossary I used several times: http://www.dcoce.ox.ac.uk/glossary/ The SHA-1 standard: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf The DES standard: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf The draft for SCEP (please check if there is a newer one available): http://ietfreport.isoc.org/all-ids/draft-nourse-scep-13.txt Some information about hashing crypto analysis: http://cm.bell-labs.com/who/akl/hash.pdf The OpenCA documentation (also check if a newer one is available): http://albert.openca.org/openca/docs/ Usefull RFCs: 1321 -> MD5 2401 - about 2412 -> IPSec ... 2527 -> X509 Certificate Policy and Certification Practice Statement 2560 -> X509 - OCSP (Online Certificate Status Protocol) 3280 -> X509 - CRL (Certificate Revocation List) Blog from Bruce Schneier about "SHA-1 broken": http://www.schneier.com/blog/archives/2005/02/sha1_broken.html A report about collisions for hash functions: http://eprint.iacr.org/2004/199.pdf And last but not least you should have a look at wikipedia in the beginning because it is sometimes easier to understand and get some basic knowledge before starting with the real details ;-) In the beginning its really hard to get into all that details but later it is real fun to work with PKIs and all the possible cryptographic scenarios. Kind regards and a nice weekend, Matthias On 7/6/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi > I want to develop PKI infrastructure formy organization but I am new in this > area. Can any body guide me from where I should start?. What should be my > starting point > > thanks > shakeel > -- > Shakeel Ahmad > > "Donate the Money to Earthquake Victims. > The average income in Pakistan is about 50$ per month. > It means you can give average life for only 50$ PM." > > > > Quoting Dominique Lohez <[EMAIL PROTECTED]>: > > > Krzysztof Ryba a e'crit : > > > Hello > > > > > > Three months ago Nicolas Vahlas wrote, but there was no answer: > > > > > >> I have an installation of OpenCA where the CA certificate has expired. > > >> This was a self-signed CA certificate. > > >> I would like to renew this certificate i.e. extend the expiration date > > >> without change the rest of the certificates data. > > >> > > >> Is there a way to do this ? > > >> > > >> What if I use the "General" > "Initialization" > "Initialize the > > >> Certification Authority" > "Self Signed CA Certificate (from altready > > >> generated request)" functionality of the OpenCA web interface ? > > >> > > >> If not, should I use OpenSSL directly ? How is this possible ? > > >> > > >> > > >> > > > > > > Now I have very similar problem: I have to issue certificate for user > > > which will be valid for next 24 months but unfortunately CA self-signed > > > certificate is going to be expired in 11 months so I have to f.e. extend > > > the expiration date of CA cert. > > > > > > Is is (and if) how to do this? Could anyone help and give me/us some hint. > > > > > > Regards, > > > > > > > > Unfortunately a CA certificate should not be renewed before the pki > > infrastructure has became obsolete !! > > Thus the CA certicate always have serial number 0. > > Working around this problem could be done using openssl but this should > > not be recommended. > > > > When i encountered a similar problem , i redifined a new pki > > infrastructure from the scratch and provide new certificate to all the > > old users. > > > > Sorry, > > > > Dominique > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Openca-Users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
