I have problem in giving access rule to my ca admin. I have 2 rule to be set :
1) CA Admin 1 - only can create csr/create ca . Cannot do anything else
2) CA Admin 2 - only can load CA into the system and activate it.
My problem is, when i use CA Administrator rule, it does not allow to create CA. I already edit it in advance mode but it seem like it does not give any reflect. Please, really need help in this.
I change to use Super Administrator, but I cannot decline others rule in the access mode. It does not give any reflect.
Thanks and Regards,
To create new CAs you need to be superadmin.
Creating new CAs are usually done very few times, during key ceremony, where things (usage of superadmin) is under strcit control. CA Admin can then do daily operations on the already created CAs.
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact firstname.lastname@example.org for more information.
Thank you so much for your answer
Is there anyway i can restrict superadmin rule ... for example superadmin1 can do all...but superadmin2 cannot edit on ra function?
Nope, a superadmin is a superadmin.
ok...thank you so much for your reply...
in my case, there will be several time when we create ca/intermediate root according to customer and project. Most of the time each project has their own ca/intermediate cert. It seem superadmin so powerfull and we try to segregate the tack according to SOD (segrerate of duty). That's why this happen.
I just want to clarify again:
1) CA Admin cannot create CA/Intermediate cert. Only Superadmin can.
2) Superadmin cannot be restrict to certain access rule. It's always has all priviledge.
Am i in the rigth understanding?
Thansk and Regards,
Thank you so much for your reply ... :)