Hello,
because of security reason i want to strip not needed features.
I want do setup openxpki only for scep certificates.
I did not need server, client or user certificates and so i want to disable
this certificate features.
Is this possible?
The Web functionality should only serve the scpe protocoll (http) and for the
CA operator the access (https) to the health and other CA pages (if something
goes wrong).
The clr creation should be done daily per cron/batch and should place the crl
to a webpage on the system.
Is this possible with any command (e.g. openxpkiadm).
The issuing, the Web ssl and SCEP certificates have CRL and Authority
Information and so i have to place the latest status to the given url.
E.g.:
X509v3 CRL Distribution Points:
Full Name:
URI:http://rootca.openxpki.net/CertEnroll/OpenXPKI_CA-One_Root_CA.crl
Authority Information Access:
CA Issuers -
URI:http://rootca.openxpki.net/CertEnroll/OpenXPKI_CA-One_Root_CA.crt
...
X509v3 extensions:
X509v3 Subject Key Identifier:
E1:F6:79:34:A8:05:92:79:CE:CF:53:1F:FD:2F:8B:03:0C:69:CA:8F
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:issuing.ca-one.openxpki.net
X509v3 CRL Distribution Points:
Full Name:
URI:http://issuing.ca-one.openxpki.net/CertEnroll/OpenXPKI_CA-One_Issuing_CA.crl
Authority Information Access:
CA Issuers -
URI:http://issuing.ca-one.openxpki.net/CertEnroll/OpenXPKI_CA-One_Issuing_CA.crt
...
Many thanks for your help
Gabriel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
