Menu
▾
▴
Re: [OpenXPKI-users] Fully automatic CA Rollover
|
From: Scott H. <sc...@hn...> - 2010-03-22 16:23:54
|
Hi Martin, Just so I understand it correctly, the configuration (token.xml and config.xml) must be updated manually each time a new certificate is created, thus preparing for the next rollover. This implies that the "Fully Automatic CA Rollover" isn't actually fully automatic, but that OpenXPKI's choice of which certificate to use is fully automatic. I may be wrong, but from a usability standpoint, it would be kind of sexy if something like this could be managed right in the UI. I picture a list of the known Issuing CA certificates, perhaps with expired ones filtered out. Then, there would be an option/button for creating or adding a new certificate without having to edit the XML files directly. It would help to have these data items stored in the datapool rather than in XML, though. I know that putting such important changes into a GUI won't make auditors happy, but if a strict MVC design is followed, a CLI could also provide access to this feature. I think the OpenXPKI project would benefit from both: sexiness for those that aren't as paranoid and CLI for those that are. Alas, nothing can be checked into GIT better than an XML file, which is probably what makes an auditor happiest. CU, Scott On Mar 22, 2010, at 15:46 , Martin Bartosch wrote: > Hi, > >> Using your valuable suggestions regarding "Sub CA in OpenXPKI" , i had accomplished it. Now i am interested in the powerful feature "Fully automatic CA Rollover" . My ROOT CA and Sub CA's certificates are going to expire in near future. > > it's actually quite easy. You basically need to create new entries in config.xml and token.xml for the new Issuing CA. > > I have extended the OpenXPKI Wiki with a description of the necessary steps. Please read > > http://wiki.openxpki.org/index.php/Manual/Quickstart/Configuration#Fully_Automatic_CA_Rollover > > and let me know if you have any questions. I will extend the article to include descriptions about the certificate import and alias steps, but for now it should suffice to answer your question. > > Regards, > > Martin > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > OpenXPKI-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Scott T. Hardin <sc...@hn...> Hard 'n Software Consulting GmbH An der Schaeferbuche 4-6 35039 Marburg Germany Phone: +49 6421 18 36 36 Mobile: +49 177 406 4687 Internet: http://www.hnsc.de Handelsregister: 16 HRB 2232, Amtsgericht Marburg Geschaeftsfuehrer: Scott T. Hardin |
