Menu
▾
▴
Re: [Ejbca-develop] Hierarchical PKI Architecture
|
From: Branko M. <br...@ma...> - 2014-08-31 19:14:30
|
On Thu, 21 Aug 2014 08:54:08 +0100 Ebtehal Hassan <h.e...@ya...> wrote: > Hi, I try to deploy a hierarchical PKI architecture, that means a PKI architecture with a root CA and some external sub CA in addition to Management CA for managing all CAs & sup CAs, but I have some problems. Here is what i actuall do: > - For Management CA, I deploy an EJBCA by default in machine 1; and create another super administrator from this CA & delete the old one. > - For Root CA, I was copy the Managment CA in machine 2 and create Root CA; after that i was trying to delete Management CA but it was not deleted. But if i create new superadmin using Root CA the old one will be deleted but the Management CA will not have any permision on Root CA. :( > > > > So my question is how i can isolate Root CA from Managment CA without missing the managing & administration of Management CA on all systems & my PKI??? > > > Thanks and best regards, > Ebtehal Hassan > I am not quite sure I understand the problem (maybe if you try to explain it with a bit more details), but I'm assuming that you want to have a Management CA that is hosted outside of Root CA EJBCA instance used for authentication and authorisation purposes on the Root CA EJBCA instance. In such case you would normally create Management CA somewhere else, and then import it as external CA (just the Management CA certificate) into the Root CA EJBCA instance. This would be the first step you'd perform on the Root CA EJBCA instance (and you'd need to do it via EJBCA CLI). The next step would be adding one of the admin certificates issued by Management CA to the super-administrator group on the Root CA EJBCA instance (again via EJBCA CLI). You would also issue an appropriate keystore/truststore for your Root CA EJBCA instance, deploy it etc. After all of this, if you have disabled administrator certificate checks in web.properties on Root CA EJBCA instance (or you have imported the administrator certificate into Root CA EJBCA instance), you would be able to go in through the web GUI and create your Root CA. Hopefully this somewhat condensed answer will get you going into right direction :) Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |
