Re: [OpenXPKI-users] multiple instances of openxpki hierarchy

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Alaa,

in which chain dont you see the root ? The "primary" views will always 
show the parent signer certificate which is SignerCA1 in your case but 
in the background the chain is there and it should also be delivered by 
all download options.

Oliver

On 24.07.24 11:39, Alaa Hilal wrote:
> Hello,
>
> I followed the above approach. but the rootCA is not showing in the 
> chain. the top of the chain is showing to be the signingCA from server1.
> Am I doing anything wrong?
>
> Regards,
> Alaa
>
> On Wed, Jul 24, 2024 at 8:37 AM Alaa Hilal <ala...@gm...> wrote:
>
>     Hello,
>
>     Thanks for the clarification I can import them one by one. So can
>     I follow this process on server 2?
>     1- import rootCA
>     2- openxpkiadm certificate import --file root.crt
>     3- import signingCA from server1 --> here i import it same way?
>     openxpkiadm certificate import --file signingCAserver1.crt
>     4- create a key and csr for server2 signing ca and sign it with
>     server 1 pki
>     5- create token for the signingca of server 2
>     ....
>
>     Does this sound right?
>
>     Best regards,
>
>     On Wed, Jul 24, 2024 at 8:27 AM Martin Bartosch via OpenXPKI-users
>     <ope...@li...> wrote:
>
>         Hi,
>
>         > I am trying to install 2 instances of openxpki. For the
>         first instance I followed the quicksetup in the docs and every
>         thing is working fine:
>         > Root CA --> Signing CA (server 1) --> certificate
>         >
>         > For the second instance I would like to set it up in a way
>         that it is under server 1 in the hierarchy. That is I am
>         trying the chain to look as follows:
>         > Root CA --> Signing CA (server1) --> signing CA (server 2)
>         --> certificate
>         >
>         > Are there any special instructions that I should follow?
>         > I am thinking of importing the chain of Root CA --> Signing
>         CA (server 1) as the root certificate of installation 2. would
>         that work?
>
>         OpenXPKI does not make assumptions on the logical architecture
>         of the PKI and allows to build any logical topology.
>
>         The only actively enforced requirement is that when importing
>         a CA Signer certificate as as signer token into a PKI Realm
>         the system must be able to build the certificate chain up to a
>         trusted Root CA Certificate. This effectively means that you
>         will have to start importing the Root CA and all necessary
>         intermediate CA certificates in top-down order first into
>         OpenXPKI.
>
>         Cheers
>
>         Martin
>
>
>
>
>
>         _______________________________________________
>         OpenXPKI-users mailing list
>         Ope...@li...
>         https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-users

-- 
Protect your environment -  close windows and adopt a penguin!