Happy New Year everyone! > We are running a setup with OpenXPKI with a single Root CA (RSA private key) > and a couple of intermediate/subordinate CA (all with EC private keys). > > Now we have hit a problem where a 3rd party product should act as a separate > CA but still we want to maintain the trust back to our root ca. This is > working fine with our subordinate CA on other platforms, but this platform > requires the signing key being a RSA key and not a EC key. > > Now I can perfectly fine create a new realm with a RSA key (tested ok) > however, would it be possible to have multiple private keys on a single > realm? For example that our Sub CA will sign CSRs based on a RSA private key > with a RSA key and EC requests with the EC key?
As you mentioned, OpenXPKI supports certificates with both EC and RSA keys, and this is generally true on all "certificate levels": The active Issuing CA within a PKI Realm can itself be based on an RSA or an EC key and it can issue EC or RSA certificates. Apart from that, OpenXPKI supports any number of Issuing CAs within one single PKI Realm. However, the idea here is that only one of these Issuing CAs is active at any given time, so this feature is used to support seamless Issuing CA rollovers where a newer Issuing CA completely takes over issuance of certificates and the older CAs within the Realm are in passive mode, issuing CRLs only. Now, if I understand you correctly you want to have two distinct Issuing CA certificates which are valid and concurrently active at the same time within a PKI Realm, with both actively issuing certificates. This is not supported with the standard workflows within OpenXPKI, and I don't see it as a feature that is useful in general. My recommendation is to use two different Realms with different Issuing CAs below the same Root CA instead. It is of course possible to modify/customize the workflows in a way that this would work, but this requires analysis, design and implementation to do this right (and my gut feeling is that while doing so some nasty gotchas might appear). Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
