Menu
▾
▴
Re: [Ejbca-develop] Type of certification authorities
|
From: Branko M. <br...@ma...> - 2014-08-09 20:58:48
|
On Tue, 5 Aug 2014 12:24:32 +0300 eilaf sorkatti <eil...@gm...> wrote: > Hello, > > I would like to ask you what is the difference between management > certification authority, signing Certification authority and > authentication certification authority? > If management certification authority do authentication and signing what is > the need for seperated authentication and signing certification authority? > How to setup/Install each of them? > > > > Regards, Hello Eilaf, This is purely a policy decision. You could define that certificates with specific profile (key usage, extended key usage etc etc) will be issued by a designated sub-CA (or even CA chain). I.e. it's mainly a design decision, and can vary based on the project/customer requirements. As for the ManagementCA, it is usually a good idea to keep it separate since the policies very often need to be different for it (since it commonly forms part of PKI infrastructure). One good reason to keep it separate is in order to grant different privileges to differents groups (let's say you want to let your PKI team be able to freely issue server/client certificates for the PKI environment using ManagementCA). Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
