[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how to bring a CA into directory

Klaus Lemkau wrote:
we have a standallone e-mail-CA and want to bring
it in our LDAP-directory (LDAP v2 schema).
Now the question is, what ObjectClass to use.
When we use the objectclass certificationAuthority
we also need a 'authorityRevocationList'.

Why no use objectclass 'pkiCA' as defined in RFC2587? Or you can define your own CA objectclass as we have done as SUP of pkiCA.

- is the objectClass certificationAuthority
also designet for standallone CAs ?
You can use objectclasses and attributes whereever you want (but make sure you got a unique OID). So why not use for standalone CAs.

- who signs a authorityRevocationList ( a CA which has signet sub-CAs ) ?
Usally a CA signs the ARL, which contains a list of revoked subordinate CA certificates. The question 'you signs the revoked Root CA certificate' is a still the Gretchenfrage (sorry, I don't know the english equivalent)


Armin Wenz