Hi all,
currently we are trying to have multiple CAs in one realm. The final state
should allow us to have certain profiles linked to single CAs.
For example we have two CAs in one realm. We want all requests in this realm
for i.e. TLS to be signed by one of the CAs and all People (secure e-mail /
authentication) to be signed by the other one.
So far we have changed "AlwaysFalse" to "AlwaysTrue" as stated in
certificate_signing_request_v2.yaml:
# The default is to autodetect the issuer token, in case you want to
# give the Ra Operator the option to select a special CA Token for
# signing, set this to AlwaysTrue. Note that this works only with the
# default "NICE::Local" implementation and has some limitations.
allow_isuer_override:
class: OpenXPKI::Server::Workflow::Condition::AlwaysFalse
And imported two certificates into two different token Groups:
root@openxpki:/etc/openxpki/ssl/ca-two# openxpkiadm alias --realm ca-two
=== functional token ===
ca-one-vault (datasafe):
Alias : ca-one-vault-1
Identifier: jDZTDiCM2oXB9tdsvA0plEYCyas
NotBefore : 2019-03-05 13:28:53
NotAfter : 2029-03-07 13:28:53
ca-one-scep (scep):
not set
ca-one-signer (certsign):
Alias : ca-one-signer-1
Identifier: -V4REbtuR4s8NHQ3Dnb-uaiiTSk
NotBefore : 2019-04-16 12:05:21
NotAfter : 2022-01-10 12:05:21
ca-one-signer-2 (certsign2):
Alias : ca-one-signer-2-1
Identifier: oQnAm63BtRPHajxsWv-r9qlm1x8
NotBefore : 2019-04-16 12:22:15
NotAfter : 2022-01-10 12:22:15
=== root ca ===
current root ca:
Alias : root-1
Identifier: E7zcJADBdEqKPwvX8oqmuR_-LtQ
NotBefore : 2019-03-05 13:28:51
NotAfter : 2029-03-07 13:28:51
upcoming root ca:
not set
We also changed the system/crypto.yaml file:
# API classs to be used for different types of *realm* tokens
# Undefined values default to OpenXPKI::Crypto::Backend::API
tokenapi:
certsign: OpenXPKI::Crypto::Backend::API
crlsign: OpenXPKI::Crypto::Backend::API
datasafe: OpenXPKI::Crypto::Backend::API
# scep: OpenXPKI::Crypto::Tool::LibSCEP::API
scep: OpenXPKI::Crypto::Tool::SCEP::API
certsign2: OpenXPKI::Crypto::Backend::API
So far the second CA is not shown.
Token Alias
Identifier
Status
not Before
not After
ca-one-signer-1
-V4REbtuR4s8NHQ3Dnb-uaiiTSk
ONLINE
2019-04-16 12:05:21 UTC
2022-01-10 12:05:21 UTC
Can you please tell us, what we forgot and how the configuration needs to look
like?
Thanks a los in advance.
Best Regards,
Timo Klimmeck
Werkstudent
Bereich Compliance & Information Security
E-Mail:
[email protected]<mailto:[email protected]>
Web:
www.adesso-service.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.adesso-2Dservice.com_&d=DwMFAw&c=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOA&r=-l-tJnueMWRiaos9gBffxHHLVl_WzKcuHi45sOCo81A&m=L6iYYqGNGpeGXwLKwi1kkJEK97zcuWJ_BGjLPCRKu_E&s=O2FSJp5aFkurWC4ZGwoi-8oLsZWERGTuBDdO14mLhsw&e=>
adesso as a service GmbH
Stockholmer Allee 24
44269 Dortmund
adesso as a service GmbH · Sitz der Gesellschaft: Dortmund · Amtsgericht
Dortmund HRB 25321 · Geschäftsführer: Stefan Schmitt, Christopher Schmelter
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
