Hi Scott,
> I have applied your suggested configuration by duplicating the
> <pki_realm>...</pki_realm> with different configuration. It works but this
> new PKI realm has no relation with the previous PKI realm. Previous Pki realm
> contains self signed certificate. Lets assume the default/previous CA realm
> as ROOT CA....Now I want a Sub CA to be created whose certificate should be
> signed by the RootCA. There is no option in Web interface to generate a Sub
> CA certificate. How can i do it?
OpenXPKI ships with a profile definition that is tailored for end entity use.
If you want to use one realm as a Root CA you need to modify the profile
definition for this realm accordingly.
I assume you wish to have the following structure:
Realm: Root CA
Profiles available: CA Certificate
Realm: Issuing CA
Profiles available: TLS Server, TLS Client etc...
In config.xml create two <realm>...</realm> sections, one for the root, the
other for the issuing CA. Move the old profile.xml to the directory issuingca/
below the one containing config.xml. Create a copy in rootca/.
<pki_realm name="Root CA" id="I18N_OPENXPKI_DEPLOYMENT_ROOT_CA">
<common id="default">
<token super="common/token_config/token{default}"/>
...
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude";
href="rootca/profile.xml"/>
...
</pki_realm>
<pki_realm name="Issuing CA" id="I18N_OPENXPKI_DEPLOYMENT_ISSUING_CA">
<common id="default">
<token super="common/token_config/token{default}"/>
...
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude";
href="issuingca/profile.xml"/>
...
</pki_realm>
This configuration references different profile.xml in the sub directories
rootca/ and issuingca/ (if relative paths are use these directories are
searched below the one that holds config.xml).
Keep the default profile in the endentity section. Remove unnecessary endentity
profiles inherited from the default profile and add a new profile for a Sub CA.
The Sub CA profile needs to have the Key Usages CRL Sign and Cert Sign.
In addition it needs to have the Basic Constraint "CA:TRUE". It may also be
useful to set the Basic Constraint "pathlen:0" in the SubCA profile (unless you
wish to allow for sub-sub-cas).
<profiles id="default_profiles">
<crl>
...
</crl>
<!-- endentity profiles -->
<endentity>
<!-- default certificate profile -->
<profile id="default">
...
</profile>
<!-- Sub CA profile -->
<profile id="I18N_OPENXPKI_PROFILE_SUB_CA"
super="../profile{default}">
...
<extensions>
<key_usage critical="true">
<digital_signature>0</digital_signature>
<non_repudiation> 0</non_repudiation>
<key_encipherment> 0</key_encipherment>
<data_encipherment>0</data_encipherment>
<key_agreement> 0</key_agreement>
<key_cert_sign> 1</key_cert_sign>
<crl_sign> 1</crl_sign>
<encipher_only> 0</encipher_only>
<decipher_only> 0</decipher_only>
</key_usage>
<basic_constraints>
<ca>1</ca>
<path_length>0</path_length>
</basic_constraints>
</extensions>
</profile>
...
After you have set up your two PKI realms generate a private key for the Sub
CA. You may use the 'openxpkiadm key generate' command to create a private key
if you wish to use the Secret Splitting mechanism supplied by OpenXPKI. If you
do not need Secret Splitting, it is OK as well to simply use "openssl genrsa
-aes256 2048".
Now you need to create a certificate request for the Sub CA which must be
uploaded in the Root CA Realm. Approve the request and create the CA
certificate using the new Sub CA profile.
>From the certificate download/information page copy the displayed certificate
>alias of the generated CA certificate (it is not necessary to download the
>actual CA certificate, OpenXPKI knows about it in its database and can use it
>inherently).
The last step is to create a certificate alias for the generated certificate in
the issuing CA realm.
Use 'openxpkiadm alias --identifier <copied identifier> --alias <alias as set
in config for ca cert> --realm <issuing ca realm name>' to set an alias for the
issuing ca realm.
After a daemon restart it should report that it found an issuing ca for the
endentity realm. Your issuing CA is now ready for use.
Hope this helps,
Martin
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
