[Ejbca-develop] Trust between EJBCA CA's

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

We are getting into the architecture of permissions within a multiple CA
EJBCA instance.  The layout of what we have planned is something like 2
CA's - 1 for personal identity (PI), 1 for servers (S).  I want to
create a CA Administrator for each CA.  In this scenario, all CA
Administrator Certificates should be signed by 'PI'.

I can create a CA Administrator for PI (given 'PI' is the signer of my
initial superadmin cert) that gives me access to the 'PI' CA.  It
appears as though I cannot create a similar cert for a CA administrator
of 'S' (without also giving it administrator authority over 'PI') and
EJBCA reports 'Access Denied'.

Recognizing that I don't know the internals of EJBCA at all, a possible
solution to this would be to add a drop down pick or select list of
'Trusted Signers' on the page 'Edit Administrators', on the same line as
'Match with', 'Match Type', and 'Administrator'.

Can you give any much needed guidance?

Thanks

Gerard