On Tue, 2008-09-02 at 14:18 +0200, Alexander Klink wrote: > Hi Dennis, > > On Mon, Sep 01, 2008 at 05:05:09AM -0700, Dennis Glatting wrote: > > I am trying to figure out how to specify my CA/REALM architecture in the > > OpenXPKI config, specifically openxpki.conf from which config.xml is > > derived (I think). Any help how to specify this set up will be > > appreciated. > > > [ROOT_CA] --> [SUB_CA_1] --> [EMPLOYEES_1] > > | --> [DEVICES_1] > > |-> [SUB_CA_2] --> [EMPLOYEES_2] > > | --> [DEVICES_2] > > |-> [SUB_CA_3] --> [EMPLOYEES_3] > > | --> [DEVICES_3] > > Is [SUB_CA_2] the successor of [SUB_CA_1], i.e. do they only differ > in validity (and possibly key)? >
No. Each SUB_CA is an semi-independent business unit (subsidiary) tied together by the root so that devices and traveling employees can be linked together by the root. > If this is the case, I would suggest four realms, 'Root CA', 'Sub CA', > 'Employees' and 'Devices'. Define them in openxpki.conf using > > pkirealm: Root CA > pkirealm: Sub CA > ... > > And then for each realm definition, add the issuing CAs like this: > issuingca: SUB_CA_1 > issuingca: SUB_CA_2 > ... > > > Housing the services will initially be on one machine. Future > > I would suggest an offline root CA, though. This is possible using > the OpenXPKI live CD and a USB drive, for example - I would have to > generate a new live CD though, as the latest one still suffers from > the Debian OpenSSL bug and should NOT be used except for testing. > > Setting up an offline root CA is relatively easy but brings you a lot > of security benefit. > > HTH, > Cheers, > Alex > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Dennis Glatting <[EMAIL PROTECTED]> ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
