Hi, On Wed, Apr 11, 2007 at 11:10:55AM +0200, Andreas Thienemann wrote: > > > We would like to test a very simple root CA with 3 certs for protecting > > > a wireless network. > > What do you mean by "with 3 certs"? > Probably three sub-cas. Ah, OK.
> I'm wondering if there are any "best practices" for setting up a new CA > from scratch. Good question. I don't really know any documents on this and this largely depends on what you want to do with the CAs and what kind of security level you are trying to achieve. > I remember your presentation on the 23C3 where you showed some cases so I That was probably Micha's part :) > guess the following would be okay for servers and for differentiating > between access classes. Christian is probably thinking about something > like this: > > Root Certificate > | | | > +--------------------+ | +--------------------+ > | | | > Server CA Auth CA (User) Auth CA (Admins) > > Or would you suggest a different setup? Sounds reasonable to me. Maybe combining the Auth CAs into one would be something to consider (you can still configure a higher level of approvals needed for an admin certificate to be issued in OpenXPKI). > > > What should be our next steps? > > I guess you are at pretty much the same point Robert was a few weeks > > ago, see the following posting: > > http://sourceforge.net/mailarchive/forum.php?thread_name=65187.194.250.170.166.1173976507.squirrel%40www.siaige.org&forum_name=openxpki-users > > In short, it boils down to: Generate a root certificate, import it into > > the database, make an alias for it and get going ... > If I'm reading you right you're suggesting that the certificate should be > generated by calling openssl directly and not through openxpki? Yes, that's the way it is at the moment. In the above scenario, it (theoretically) would be enough to create the Root CA certificate using openssl and then create the Sub-CA certificates using OpenXPKI - but we do not ship with a CA certificate profile, which means you would have to write a corresponding profile (which is probably at least as complicated as issuing the certificates using OpenSSL). > Any reason for this? I saw a bug that the keygeneration was broken, but > that has been fixed around svn revision 400. Currently, you need an existing CA installation (i.e. certificate and key) to issue a certificate, i.e. there is no way to issue a self-signed certificate in OpenXPKI, which prevents us from creating root certificates within OpenXPKI. Furthermore, it is a bit of a design question - we thought that the Root CA should possibly live on a different machine (preferably without any network access) than the CA. Not having the possibility to do it sort of prevents the user from just bootstrapping the CA on the system it will run on. But I agree that we need a better documentation on how to bootstrap the system, i.e. creating the needed CA certificates ... Regards, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer [EMAIL PROTECTED] | working @ urn:oid:1.3.6.1.4.1.11417 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
