>> Thanks for confirming my prejudice :) And having seen the horrors of ADCS >>in real life it totally eludes me why one would consider a Microsoft CA for >>implementing an Issuing CA, let alone a Root CA for a heterogeneous >>environment not consisting of pure Microsoft systems. From my experience ADCS >>only make sense in a pure Microsoft world. (Apologies for the rant, but you >>came to an OpenSource PKI forum :)
I've grown up in a pure Microsoft world, so yes in a *pure* Microsoft environment, it just works (and SubCA's beave better than root), Apple style, just Embrace, Extend and Extinguish standards. This is also 2012R2, where it seems the ECC support isn't fully baked in. There could be underlying limitations to 2012 (it does also date from around those dark days you refer to) that have seemingly matured in 2016, since 2012 is also the basis of everything Windows today. It seems as of 2016, there is much better ECC support where you can list the actual supported ones, even define your own parameters. I would actually be running 2019 but have 2012 lying around and for the larger project im doing, 2012 is good enough, I wanted to also try ECC, just because. I did learn the internals of ADCS and how to better manipulate the creation of my RootCA. Which applies to 2012 as much as 2019. As for why, I actually had this setup where I use to work, Windows Root based on 2016, with an RSA key, i was implementing a Gemalto HSM with client cert auth. When signing the CSR from the HSM with ADCS Root, the HSM, based on OpenSSL didn't like it when trying to validate the chain. I never got the answer from Gemalto (left the job before I got it). so with XPKI, I get to delve into the depth of managing certificates backed by OpenSSL. This validation thread has allowed me to grow my OpenSSL understanding an what Gemalto may be doing under the hood. _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
