Hi, > I have only one CA, but is it possible to configure EST with 2 different > profiles? > I would like to setup one for User certs. and one for TLS server certs.
Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST, SCEP and RPC endpoints. Each endpoint has its own distinct configuration, making it possible to provide endpoints, e. g. specific for a device group. (In terms of long term manageability this is an important feature, making it possible to modify the enrollment policy e. g. only for your printers while leaving the enrollment policy for phones unchanged.) Each endpoint has a default certificate profile configuration which is selected if no other supported profile is requested by the client (and accepted by the endpoint). The client may override the configured default profile by including the Microsoft specific extension 1.3.6.1.4.1.311.20.2 (szOID_ENROLL_CERTTYPE_EXTENSION, http://oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.311.20.2&action=display) in the submitted CSR. If the profile requested by the client is contained in the profile mapping of the endpoint configuration, the mapped profile is used for the incoming certificate request, otherwise the default is used. HTH Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users