Menu
▾
▴
Re: [Ejbca-develop] Offline CA?
|
From: Tomas G. <to...@pr...> - 2004-05-25 14:05:08
|
I'd say normally the CA is online but the private key stored in secure storage, such as an HSM. Having a CA offline is not really useful unless you only have 10 users and don't bother about CRLs etc. It is true that ejbca does not support off-line operation of the CA. If connecting a HSM to the CA, it will be possible later to use the CA although the HSM-devise is off-line. This is nothing supported out-of-the box though. If you like the CA off-line you can have ejbca off-line and distribute pkcs12-files to users (p12/pem/jks can be generated in batches). I believe that is easier to use than having a de-coupled enrollment proceedure. In ejbca enrollment is made in one singe proceedure, you apply and get your certificate immediately. Or you are handed your keys and certificate, all at once, from the administrator. Cheers, Tomas Michael Konietzka wrote: > Hi, > > I am new to ejbca and was looking at the docs to see, > if ejbca supports an offline ca and online ra: > > Offline CA <------> Online RA > DX > Dataexchange "DX" via floppy for example? > > I understand the docs the way, that all components are on > one JBoss? Did i miss something, because "normally" the signing > component in a PKI is offline for security reasons, isn't it? > > Best regards > Michael > |
