Hi Geert I'm not that much into distributed OpenCA architectures - I've only played with single node systems, but I think the general idea is to have separate database per node - I hope someone more knowledgeable in that area will answer you.
I forgot to mention that the request header (can be found in the data column of the request table in the database) holds the name of the approving RA as well, which can be moved across nodes using dataexchange. Wrt signing from the RA directly - I'm not aware of an option without modifying code Konrad -----Original Message----- From: Geert Hendrickx [mailto:g...@telenet.be] Sent: 05 October 2010 12:34 To: Users' Help and Suggestions Subject: Re: [Openca-Users] auto-sign - approved at (RA's) On Tue, Oct 05, 2010 at 11:55:49AM +0200, Konrad Kehrer wrote: > the CSRs are written into the "request" table in the database - each > record keeps track of the RA. Thanks for your response. But so I understand there's no cryptographic authentication of the RA, hence this can easily be spoofed in case of a compromised RA? What I was looking for: I'm setting up two public RA's for SCEP, and a private RA (only reachable from the internal network) for operators to approve certificate requests from routers. All use the same central MySQL database (with the same db credentials). I was hoping to use "approve without signing" to avoid the complexity of browser certificates. But if an attacker can compromise a public RA and connect to the db directly, he can mark his own requests as "approved" without going via the private RA and without the CA being able to distinguish this. Is it possible to have the RA itself sign a certificate when a logged in user approves it? (I do trust the security of the private RA.) Or do I need to use separate MySQL databases/credentials for each server and use OpenCA's export/import functionality? (and can this be automated eg. via rsync?) Geert -- Geert Hendrickx -=- g...@telenet.be -=- PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages! ---------------------------------------------------------------------------- -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
