Well, you can do this via your Certificate Policy document, and assert a
certain OID for each CA. This is rather unusual, as most of the time, a
certificatePolicy OID is for an assurance level, but there's nothing to
stop you from stating in your CP that a CA asserting a given OID is only
able to sign Server certs, or Client certs as the case may be.
Okey, thanks. I will give it a shoot later :)
BTW: If someone gets a hold of your CA, you probably have MUCH larger
issues to deal with. I trust this is for some internal application? Even
so, if this is used for "production" uses, I would ensure that the CA key
was stored on some form of hardware token, and if you really are
concerned
about the consequences of unauthorised use, I would implement some form
of M of N (for instance, you need 2 out of a pool of 5 people available
to
activate the key). There are several hardware devices out there that can
handle this kind of requirement.
This is just a small project I'm doing at home to centralize my VPN & WLAN
authorization and to understand PKI key infrastructure better in general.
Someone getting a hold of the CA is very unlikely event (first few levels
of master CAs + server CA are to be stored on encrypted CDs since I need
them very rarerly and client CA would be stored on encrypted VM image
since it allows a bit faster access to it without really impacting
security on home enviroment). And the main idea of seprating client CA
from server is that servers can access CRL in more or less real-time,
clients cannot. Thus in an unlikely event that my client signing CA gets
in wrong hands, I could revoke it completly with higher level CA and then
give out new certificates later along with up-to-date CRL.
Is this possible? The standard Windows-included public CA certificates
seem to indicate this is possible (for example VeriSign's CAs include
following purposes "Proves your identity to remote computer" and
"Ensures
the identity of a remote computer". I assume they refer client and
server
certificates).
Verisign manages this by policy (the way I suggested above), I believe,
backed by an Audit by one of the "Big 3" auditors. And they keep their
CA's in bunkers, so there's VERY little chance that an unauthorised
individual could get "access" to a given CA key.
The meaning on that part was to be only an example. No way in the hell
home grade security could match corporate in software, hardware or
administrative security :) (well, okey, I have heard some horror stories,
but fortunaly I haven't personally expirenced too horrifying ones)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
