Hello there,
On Mon, 2004-05-17 at 15:28, Michael Konietzka wrote:
The user should do enter his data once and he gets a x509-cert for his signing cert and a pkcs12 for his decrypting cert.
OpenCA does support this, but you will need to generate each key pair separately.
1. If you use the standard request for the signing key then the keys are generated on the client.
2. Then if you use use the basic request the keys are generated on the RA.
I think this gives you what you are after, but it requires the user to make two requests.
Ok, but how should I handle the different keyUsage in certification process?
A user-certficate(sign) for E-Mail-Signing, non-repudation, Client-Auth
should have another keyUsage than a user-certificate(enc/decryption) for email-encryption.
A sign-certificate have the following keyUsage: keyUsage = nonRepudiation, digitalSignature extendedKeyUsage: TLS Web client authentication, E-mail protection
A encryption/decryption certificate has the following keyUsage: keyUsage = keyEncipherment, dataEncipherment, keyAgreement
Should this be different roles for example "User-sign", "User-encrypt"
within one CA
or should I setup two CAs each with one "User"-role, but the role has different keyUsages on the two CAs?
+---------+ +----------------+
| Root-CA |-+--| E-Mail-Sign-CA | User: keyUsage:
+---------+ | +----------------+ nonRepudiation,digitalSignature
|
|
+--+----------------+
| E-Mail-Enc-CA | User: keyUsage:
+----------------+ keyEncipherment,
dataEncipherment,keyAgreementWhen using two CAs there should be a seperate RA/PUB-Interface for each CA.
Any comments?
Best regards Michael
-- Dipl.-Inform. Michael Konietzka Schlund + Partner AG
------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
