Armin, thank You very much for Your help! The pkiCA is a good idea but its not in the schemas delivered with OpenLDAP. So I think to write a new schema-file with the pkiCA defined in RFC2587 using the OID 2.5.6.22 as defined there. Defining a own object is also a good idea, so I m free to add the attributes I need, but what about a unique OID for this object ? Klaus