[OpenXPKI-users] Some questions about OpenXPKI

Fri, 24 Feb 2017 16:14:53 -0800 

Hi,
I am working on a setup of company CA and I have some questions before I try 
setting up openxpki (Disclaimer: I just read through the docs).

In the past I used EJBCA with great success, but they removed both the external 
OCSP responder and RA capabilities that I need (=want) from the community 
edition. I also tried dogtag, but hit some errors on Ubuntu and I very much 
dislike that it uses LDAP for configuration/database/everything.
Now I finished a basic setup of XCA, which seems to work nicely but is a bit 
clunky for a larger deployment (no concurrent access, I'll have to hack some 
automation around it etc.)

I very strongly feel against having any CA interface exposed to the public, I 
could simply never trust it.

Thus I'd like to be able to have the CA online and running behind a firewall, 
not visible to the public, reaching out to an external RA for requests

        - CSRs, SCEP requests and any other public interface (OCSP) should be 
on an external machine
                I don't care much about SCEP, but I want to give the users some 
sort of an interface.
                I very much like how EJBCA does it - after signing is approved 
on the CA, the certificate gets pushed to the RA, notifications are sent and 
the user can retrieve the cert without further CA operator involvement.

        - That machine will never connect to the CA itself, but the CA will 
rather connect to it and gather requests. This is as closed to air-gapped setup 
as I feel is practical.

Is this possible? If not, is it easy enough to implement?
I can imagine a simple cron job INSERTing the requests into database and 
exporting finished certs, but it still needs some sort of a public interface... 
(Like a second OpenXPKI instance with deleted private keys?)

Thanks!

Jan



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to