On Wed, Sep 02, 2009, Yin, Ben 1. (NSN - CN/Cheng Du) wrote: > OK, regarding the CA deploy, such as, we have a one root ca and 1000 sub ca > signed by root ca. and each sub ca used as ca by 1000 terminals.so the total > network size is 1000*1000. All our ca, including root ca and sub ca, was > stored offline. I need copy sub ca to terminal it was used. So if one of sub > ca was compromised, what I need to do is sign a new sub ca using root ca and > copy it to 1000 terminal where sub ca has been compromised. And if root ca > was compromised, I need to re-deploy CA on 1000*1000 terminal mannuly. That > is why I want to keep root ca out of the chain. >
Including a public key certificate in no way risks the integrity of its private key as several others have said in this thread. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
