I think it's better to solve this issue, because 50000 certificates are
very few to justify other CAs in the same PKI.
The solution with OpenSSL seems simple: OpenSSL must work without the
index.txt because it uses this file like a database but the database is
already handled by OpenCA. On issuing there is no problem in removing the
index.txt file (obviously you must renounce to things like uniqueDN
check...). The problem is on CRL issuing, because the "ca -gencrl" command
of OpenSSL uses only information in the index.txt file in order to construct
the ASN.1 structure of the CRL (revokation datetime, reason code, etc...).
But as I said, by using the same procedure of the index.txt reconstruction
(with the patch I published months ago :-D ), you can reconstruct a new
index.txt file just in time before the OpenSSL command is executed. In this
case you'll have less scalability problems because the procedure will only
read revoked/suspended certificates from the database... obviously the
scalability problem will reappear if you have more than 50000 revoked
certificates (on million of issued certificates it is very common ;-) ). The
other solution is to modify OpenSSL. I've already done in past, it's not
complex when you touch only the sources in the apps section.
I'm studying the possibility to add a command in the ca.c module that
generates a CRL using the information passed from command line. Something
like that:
openssl ca -gencrlNoDb -out output.crl -crlSerial CRLSERIAL
SERIAL1_REVOCATIONDATE1_REASON1 SERIAL2_REVOCATIONDATE2_REASON2 ....
with SERIALi, REVOCATIONDATEi and REASONi in the same format found in the
index.txt file. It can be enough and the problem should move on executing a
command line so long, but here I ask to Linux experts reading now :-) I'll
try this solution soon. In vacation I can only think about solutions :-D
p.s. the other problem of OpenSSL on issuing certificates and CRLs is
removing the last serials contained in text files ;-)
On Tue, Aug 19, 2008 at 16:36, Adolfo Hernandez <[EMAIL PROTECTED]>wrote:
> Hi folks,
>
> I have also found those issues on previous OpenCA deployments: the
> scalability due to OpenCA depending software packages (like OpenSSL).
>
> Anyhow, till the new release solving the aforementioned topics appears, you
> could use the PKI segregation concepts and virtualization technologies.
> Instead of having a CA issuing more than 50.000 certs, you could deploy
> another OpenCA instance to divide load and all that stuff.
>
> BR,
>
>
> Adolfo
>
>
--
Diego
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
