> What could be the reasons for using anything other than openssl as CA? Are > there security issues? > > Are people using openssl as their private CA? are any particular problems > reported regarding the use of openssl as private CA on large scale?
I was designing an open Java/C CA a few years back, but never released a public version. The target was small-midsized organizations, e.g., a CA that would issue internal certificates for students and faculty at a university. I studied many of the issues that they're referring to. There are actually three separate pieces to a "production" CA: - a registration authority (RA). This is what accepts the requests and supporting documentation. We can use openssl command lines, a public CA can use a website or email, an organization can integrate this into the standard intake processing for new employees, students, patients, clients, whatever. - a certificate repository (Repository). This is what publishes certificates and CRLs. There are RFCs that describe various standard ways of providing this information, what types of searches should be supported, etc. The openssl CA maintains this information in a set of files. I had prototyped PostgreSQL with custom types so I had native support of certificates and keys. That was seriously cool since I could do pretty much everything openssl does as natively supported database functions and stored procedures. (It would be published via a J2EE app.) - a certificate authority [engine] (CA). This does nothing but convert CSR to certs. We're mostly looking at simple environments, but a "production" system will have many layers of certificates. E.g., you might have a grand-daddy cert kept in a safe deposit box, top-level departmental certs (also kept locked away), working departmental certs (kept in the CIO's office), and the working certs used to sign CSRs. The latter might be handled by software, but a larger organization will want those top-level certs/keys in hardware. (BTW even that hierarchy may be simplified. You may go top-level CA -> servers CA -> mail servers CA -> departmental mail server CA -> working departmental mail servers CA -> actual mail server.) I'm sure you can do all of this with the openssl CA... but imagine signing a thousand certs for the incoming freshman class. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
