Re: [OpenXPKI-users] Multi CA/Realm config help

Tue, 02 Sep 2008 05:19:10 -0700 

Hi Dennis,

On Mon, Sep 01, 2008 at 05:05:09AM -0700, Dennis Glatting wrote:
> I am trying to figure out how to specify my CA/REALM architecture in the
> OpenXPKI config, specifically openxpki.conf from which config.xml is
> derived (I think). Any help how to specify this set up will be
> appreciated.

> [ROOT_CA] --> [SUB_CA_1] --> [EMPLOYEES_1]
>           |              --> [DEVICES_1]
>           |-> [SUB_CA_2] --> [EMPLOYEES_2]
>           |              --> [DEVICES_2]
>           |-> [SUB_CA_3] --> [EMPLOYEES_3]
>           |              --> [DEVICES_3]

Is [SUB_CA_2] the successor of [SUB_CA_1], i.e. do they only differ
in validity (and possibly key)?

If this is the case, I would suggest four realms, 'Root CA', 'Sub CA',
'Employees' and 'Devices'. Define them in openxpki.conf using

pkirealm: Root CA
pkirealm: Sub CA
...

And then for each realm definition, add the issuing CAs like this:
issuingca: SUB_CA_1
issuingca: SUB_CA_2
...

> Housing the services will initially be on one machine. Future

I would suggest an offline root CA, though. This is possible using
the OpenXPKI live CD and a USB drive, for example - I would have to
generate a new live CD though, as the latest one still suffers from
the Debian OpenSSL bug and should NOT be used except for testing.

Setting up an offline root CA is relatively easy but brings you a lot
of security benefit.

HTH,
Cheers,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    [EMAIL PROTECTED]
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to