Hi Grégory,
> Unfortunately, due to a mistake on my side, I had to create a separate
> intermediate CA for my VPN, and a CA for everything else.
>
> I do have two Intermediate CA now :
>
> - CN=MyOrg Intermediate CA v1,O=MyOrg imported as ca-signer-1 in OpenXPKI
>
> - CN=MyOrg Intermediate VPN CA v1,O=MyOrg imported as ca-signer-2 in OpenXPKI
>
> I did create one profile for my VPN users on my realm, and one for servers.
> Every certificate is in the following format : CN=<VPN
> User/Server>,OU=VPN,O=MyOrg.
>
> Recently, I had to issue multiples VPN certificates. My users made their
> requests, and everything went well. But today, I need to issue a certificate
> for a TLS Server, but not signed with the VPN ICA.
>
> When I made the request/approve it (I made it as an operator), I did not see
> any field/button where I can choose the signing CA ? Is there something to
> change in the configuration (Having a field like this in the YAML profile
> would be a nice feature) or am I missing something in the UI ? I issued a
> certificate that I had to revoke because the wrong ICA was used.
>
> Do I need a separate realm ?
OpenXPKI supports any number of distinct and independent PKI Realms or logical
CAs. PKI Realms are completely separate from each other and provide distinct
name spaces for issued certificates.
Within a PKI Realm an arbitrary number of Issuing CAs ("signer tokens") can be
configured. OpenXPKI expects that the PKI architect makes sure that all Issuing
CAs within a PKI Realm issue certificates within the same policy and name
space. Multiple Issuing CA signers within a PKI Realm are supported for the
purpose of perpetual and uninterrupted CA operation by means of automatic CA
rollover from one signer to the next. The system normally automatically picks
the most recent Issuing CA signer token for issuing new certificates. Hence it
is normally not possible to manually select the Issuing CA within the PKI Realm
(there are some exceptions, but they do not apply in your case).
If you actually want to have different Issuing CAs responsible for issue EE
certificates within different name spaces or policies you should set up
distinct PKI Realms and configure each of the different Issuing CAs within
their appropriate PKI Realm.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
