On Tue, 2 Jan 2024 at 17:22, Martin Bartosch <[email protected]> wrote:
> Happy New Year everyone! > > > We are running a setup with OpenXPKI with a single Root CA (RSA private > key) and a couple of intermediate/subordinate CA (all with EC private keys). > > > > Now we have hit a problem where a 3rd party product should act as a > separate CA but still we want to maintain the trust back to our root ca. > This is working fine with our subordinate CA on other platforms, but this > platform requires the signing key being a RSA key and not a EC key. > > > > Now I can perfectly fine create a new realm with a RSA key (tested ok) > however, would it be possible to have multiple private keys on a single > realm? For example that our Sub CA will sign CSRs based on a RSA private > key with a RSA key and EC requests with the EC key? > > As you mentioned, OpenXPKI supports certificates with both EC and RSA > keys, and this is generally true on all "certificate levels": The active > Issuing CA within a PKI Realm can itself be based on an RSA or an EC key > and it can issue EC or RSA certificates. > > Apart from that, OpenXPKI supports any number of Issuing CAs within one > single PKI Realm. However, the idea here is that only one of these Issuing > CAs is active at any given time, so this feature is used to support > seamless Issuing CA rollovers where a newer Issuing CA completely takes > over issuance of certificates and the older CAs within the Realm are in > passive mode, issuing CRLs only. > > Now, if I understand you correctly you want to have two distinct Issuing > CA certificates which are valid and concurrently active at the same time > within a PKI Realm, with both actively issuing certificates. > Correct > This is not supported with the standard workflows within OpenXPKI, and I > don't see it as a feature that is useful in general. > My recommendation is to use two different Realms with different Issuing > CAs below the same Root CA instead. > Ok, thats what I thought, but I just wanted to be sure that there wasn't a "hidden" feature that would allow for this rather special case :-) I'll create a new realm and make this RSA based. > It is of course possible to modify/customize the workflows in a way that > this would work, but this requires analysis, design and implementation to > do this right (and my gut feeling is that while doing so some nasty gotchas > might appear). > Yeah, I'd rather not make anything hacky on this setup, it will most definitely bite me later on during in upgrade or other changes to the system. > > Cheers > > Martin > > Thanks for your reply. Thomas
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
