Re: [OpenXPKI-users] Multiple Private Keys for a single realm
On Tue, 2 Jan 2024 at 17:22, Martin Bartosch wrote: > Happy New Year everyone! > > > We are running a setup with OpenXPKI with a single Root CA (RSA private > key) and a couple of intermediate/subordinate CA (all with EC private keys). > > > > Now we have hit a problem where a 3rd party product should act as a > separate CA but still we want to maintain the trust back to our root ca. > This is working fine with our subordinate CA on other platforms, but this > platform requires the signing key being a RSA key and not a EC key. > > > > Now I can perfectly fine create a new realm with a RSA key (tested ok) > however, would it be possible to have multiple private keys on a single > realm? For example that our Sub CA will sign CSRs based on a RSA private > key with a RSA key and EC requests with the EC key? > > As you mentioned, OpenXPKI supports certificates with both EC and RSA > keys, and this is generally true on all "certificate levels": The active > Issuing CA within a PKI Realm can itself be based on an RSA or an EC key > and it can issue EC or RSA certificates. > > Apart from that, OpenXPKI supports any number of Issuing CAs within one > single PKI Realm. However, the idea here is that only one of these Issuing > CAs is active at any given time, so this feature is used to support > seamless Issuing CA rollovers where a newer Issuing CA completely takes > over issuance of certificates and the older CAs within the Realm are in > passive mode, issuing CRLs only. > > Now, if I understand you correctly you want to have two distinct Issuing > CA certificates which are valid and concurrently active at the same time > within a PKI Realm, with both actively issuing certificates. > Correct > This is not supported with the standard workflows within OpenXPKI, and I > don't see it as a feature that is useful in general. > My recommendation is to use two different Realms with different Issuing > CAs below the same Root CA instead. > Ok, thats what I thought, but I just wanted to be sure that there wasn't a "hidden" feature that would allow for this rather special case :-) I'll create a new realm and make this RSA based. > It is of course possible to modify/customize the workflows in a way that > this would work, but this requires analysis, design and implementation to > do this right (and my gut feeling is that while doing so some nasty gotchas > might appear). > Yeah, I'd rather not make anything hacky on this setup, it will most definitely bite me later on during in upgrade or other changes to the system. > > Cheers > > Martin > > Thanks for your reply. Thomas ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Multiple Private Keys for a single realm
Happy New Year everyone! > We are running a setup with OpenXPKI with a single Root CA (RSA private key) > and a couple of intermediate/subordinate CA (all with EC private keys). > > Now we have hit a problem where a 3rd party product should act as a separate > CA but still we want to maintain the trust back to our root ca. This is > working fine with our subordinate CA on other platforms, but this platform > requires the signing key being a RSA key and not a EC key. > > Now I can perfectly fine create a new realm with a RSA key (tested ok) > however, would it be possible to have multiple private keys on a single > realm? For example that our Sub CA will sign CSRs based on a RSA private key > with a RSA key and EC requests with the EC key? As you mentioned, OpenXPKI supports certificates with both EC and RSA keys, and this is generally true on all "certificate levels": The active Issuing CA within a PKI Realm can itself be based on an RSA or an EC key and it can issue EC or RSA certificates. Apart from that, OpenXPKI supports any number of Issuing CAs within one single PKI Realm. However, the idea here is that only one of these Issuing CAs is active at any given time, so this feature is used to support seamless Issuing CA rollovers where a newer Issuing CA completely takes over issuance of certificates and the older CAs within the Realm are in passive mode, issuing CRLs only. Now, if I understand you correctly you want to have two distinct Issuing CA certificates which are valid and concurrently active at the same time within a PKI Realm, with both actively issuing certificates. This is not supported with the standard workflows within OpenXPKI, and I don't see it as a feature that is useful in general. My recommendation is to use two different Realms with different Issuing CAs below the same Root CA instead. It is of course possible to modify/customize the workflows in a way that this would work, but this requires analysis, design and implementation to do this right (and my gut feeling is that while doing so some nasty gotchas might appear). Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] Multiple Private Keys for a single realm
Hi We are running a setup with OpenXPKI with a single Root CA (RSA private key) and a couple of intermediate/subordinate CA (all with EC private keys). Now we have hit a problem where a 3rd party product should act as a separate CA but still we want to maintain the trust back to our root ca. This is working fine with our subordinate CA on other platforms, but this platform requires the signing key being a RSA key and not a EC key. Now I can perfectly fine create a new realm with a RSA key (tested ok) however, would it be possible to have multiple private keys on a single realm? For example that our Sub CA will sign CSRs based on a RSA private key with a RSA key and EC requests with the EC key? Thomas ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users