[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how to bring a CA into directory

To: Klaus Lemkau <Klaus.Lemkau@tu-berlin.de>
Subject: Re: how to bring a CA into directory
From: Armin Wenz <awenz@mtgnet.de>
Date: Fri, 30 Aug 2002 08:54:14 +0200
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Organization: media transfer GmbH
References: <3D6E291F.61E17568@TU-Berlin.DE>
User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.1) Gecko/20020826

Klaus Lemkau wrote:

Hello, we have a standallone e-mail-CA and want to bring it in our LDAP-directory (LDAP v2 schema). Now the question is, what ObjectClass to use. When we use the objectclass certificationAuthority we also need a 'authorityRevocationList'.


Why no use objectclass 'pkiCA' as defined in RFC2587?
Or you can define your own CA objectclass as we have done as SUP of pkiCA.

- is the objectClass certificationAuthority also designet for standallone CAs ?

You can use objectclasses and attributes whereever you want (but make sure you got a unique OID). So why not use for standalone CAs.


- who signs a authorityRevocationList
  ( a CA which has signet sub-CAs ) ?

Usally a CA signs the ARL, which contains a list of revoked subordinate CA certificates. The question 'you signs the revoked Root CA certificate' is a still the Gretchenfrage (sorry, I don't know the english equivalent)

--

Armin Wenz

References:
- how to bring a CA into directory
  - From: Klaus Lemkau <Klaus.Lemkau@tu-berlin.de>

Prev by Date: Another database
Next by Date: shadowAccount
Index(es):
- Chronological
- Thread