Hi Scott, > I went through checked the config.xml file. I think OpenXPKI may be > configured to contain Multiple CA's with proper configuration but i > have not seen anything regarding CA Chains or Hierarchical CA's. > Kindly clear me that wether this functionality exists in OpenXPKI or > not?
please have a look at the architecture white paper on the OpenXPKI site. It describes the concept of PKI Realms which essentially provide a logical issuing CA namespace. PKI Realms are independent of each other. You are entirely free to configure a complete CA hierarchy within one single OpenXPKI installation (e. g. one Realm "Root CA", and a different Realm "Issuing CA"). OpenXPKI is intelligent enough to be able to create the corresponding certificate chains automatically. However, you should consider moving the Root CA to an offline system in order to reduce exposition to possibly "hostile" activity. Normally you only need Root CA operations (CA certificate issuance, CRL issuance) very infrequently, so transferring certificate requests and certificates manually may be an acceptable price for additional operational security. cheers Martin ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
