Hi Jan, Am 25.02.2017 um 00:46 schrieb Jan Schermer:
Hi, I am working on a setup of company CA and I have some questions before I try setting up openxpki (Disclaimer: I just read through the docs).
Thats a good staring point ;)
Thus I'd like to be able to have the CA online and running behind a firewall,
not visible to the public, reaching out to an external RA for requests
- CSRs, SCEP requests and any other public interface (OCSP) should be
on an external machine
I don't care much about SCEP, but I want to give the users some
sort of an interface.
I very much like how EJBCA does it - after signing is approved
on the CA, the certificate gets pushed to the RA, notifications are sent and
the user can retrieve the cert without further CA operator involvement.
- That machine will never connect to the CA itself, but the CA will
rather connect to it and gather requests. This is as closed to air-gapped setup
as I feel is practical.
Is this possible? If not, is it easy enough to implement?
I can imagine a simple cron job INSERTing the requests into database and
exporting finished certs, but it still needs some sort of a public interface...
(Like a second OpenXPKI instance with deleted private keys?)
Ready to use - no, possible - yes, easy to implement - depends... I see three options how to do that:Shared Database: If you can accept a shared database, you can modifiy the default csr workflows so the RA side stops when it comes to signing and a scheduler on the CA side takes over.
NICE Interface: The "NICE" interface was made to encapsulate the CA key operations to be sort of atomic. You can build your own instance of this interface that writes the CSR to disk and polls for the certificate (See OpenXPKI::Server::NICE::Local).
Custom Workflow: Write your own workflow that dumps the required data to the filesystem, depending on your exact needs it might be necessary that the existing classes need to be extended.
There is unfortunately not much documentation around, but examining the existing workflows and reading the perldoc of the classes should give you an idea.
best regards Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
