Menu
▾
▴
Re: [Ejbca-develop] bind an End Entity to several CAs
|
From: Branko M. <br...@ma...> - 2014-08-22 19:05:05
|
On Fri, 22 Aug 2014 16:39:24 +0300 Pavel Bychykhin <byc...@ht...> wrote: > Hello Everyone, > While I'm adding End Entities I should chose a CA. So End Entity is > being bound to CA (or not)? > What if I have several CAs and I need to enroll in both of them with the > same name? > Can you please clarify, why can't End Entities duplicate despite the > fact they are linked to different CAs? > Thanks in advance. > In a way, the CA that is selected for an end entity will dictate what CA will be issuing the next certificate for that end entity. This is at least the case when using the EJBCA web GUI (I am not 100% sure in case of web service calls, but I _think_ it's the same). If you wish to issue certificates to same end entity from multiple CAs, you would need to update the end entity's CA before each certificate issuance. Otherwise there shouldn't be anything in EJBCA preventing you from doing this. As for why this was implemented the way it was, I will take some wide liberties and assume it was simply a design decision, and it fitted the most common deployment cases at that time. But this is me literally just shooting off from the hip (movie hero style :). In the end, keep in mind that the end entity profile is the one that really dictates what CAs will be available for issuing a certificate to an end entity. The CA that is currently selected for the end entity can be set to any of those (at any time). Best regards P.S. As a side-note, you may notice that certificate profile selection for an end entity has a similar design/principle too. -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
