Hi, We're in the process of designing a PKI infrastracture for our company, and I have a couple of design questions about it. I know this is an OpenSSL mailing list, but it seems a right place to discuss this. If it's not, I'll appreciate if you can hand me some links to a more proper place.
I've been reading the man for OpenSSL, this mailing list, and also acquired the book "Planning for PKI". My main goal is to design a PKI for our server infrastructure (ldaps, https, mail, vpn, etc.) The problem is that, for example, when reading the mentioned book, all the examples are based on people, but not on systems or services. So you have all these divisions by locality, department, etc, but always based on people. I was thinking of building a hierarchical PKI in which I had the root ca, and then a subCA for each of the needed services. This last CA would be responsible to generate and sign certificates for each server related to the service it provides. So, for example, the subCA for LDAP would sign certificates for our master LDAP server, the slave LDAP server, and so on. Does this make sense? If I also wanted to generate and sign certificates for people to use in their mail, should I place them in this PKI architecture, or create another one altogether? Should I place them in mail service tree of this architecture? Also, if a person connecting to one of these servers were to authenticate it, it should have the subCA's certificate and the root CA certificate to validate the certification path, right? That would mean that every person should have a certificate for each subCA or service they want to check, and the root CA. Is this correct? How does all this sound to you? Whenever I try to look for examples, all I find is based on people, or very specific examples. I'll appreciate any comments on this. Thanks, Martín. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
