Standalone Subsystems Use Cases - dogtagpki/pki GitHub Wiki
-
A PKI deployment should be able to setup a KRA without the need to have a CA.
-
This stand-alone KRA should not be expected to communicate with any other PKI subsystem (with the possible exception of any KRAs that have been cloned from this stand-alone KRA).
-
This stand-alone KRA should host its own security domain.
-
This stand-alone KRA will require five PKI subsystem certificates to be signed and issued by a single External CA:
-
Transport Certificate
-
Storage Certificate
-
SSL Server Certificate
-
Subsystem Certificate
-
Audit Log Signing Certificate
-
-
Additionally, for administration purposes, this KRA will require an Administration Certificate to be signed and issued by the same External CA that signed its other five certificates.
-
This stand-alone KRA should be able to be cloned.
-
Each KRA clone will be limited to use the master KRA security domain.
-
A PKI deployment should be able to clone a KRA from a fully configured stand-alone KRA.
-
This cloned KRA should not be expected to communicate with any other PKI subsystem other than the master stand-alone KRA from which it was cloned.
-
This cloned KRA must use the master stand-alone KRA as its security domain.
-
This cloned KRA will require one PKI subsystem certificate to be signed and issued by the same External CA that was utilized by the master stand-alone KRA:
-
SSL Server Certificate
-
Note
|
For administration purposes, this cloned KRA will utilize the Administration Certificate that was signed and issued for the KRA master. |
-
A PKI deployment should be able to setup an OCSP without the need to have a CA.
-
This stand-alone OCSP should not be expected to communicate with any other PKI subsystem (with the possible exception of any OCSPs that have been cloned from this stand-alone OCSP).
-
This stand-alone OCSP should host its own security domain.
-
This stand-alone OCSP will require four PKI subsystem certificates to be signed and issued by a single External CA:
-
OCSP Signing Certificate
-
SSL Server Certificate
-
Subsystem Certificate
-
Audit Log Signing Certificate
-
-
Additionally, for administration purposes, this OCSP will require an Administration Certificate to be signed and issued by the same External CA that signed its other four certificates.
-
This stand-alone OCSP should be able to be cloned.
-
Each OCSP clone will be limited to use the master OCSP security domain.
-
A PKI deployment should be able to clone an OCSP from a fully configured stand-alone OCSP.
-
This cloned OCSP should not be expected to communicate with any other PKI subsystem other than the master stand-alone OCSP from which it was cloned.
-
This cloned OCSP must use the master stand-alone OCSP as its security domain.
-
This cloned OCSP will require one PKI subsystem certificate to be signed and issued by the same External CA that was utilized by the master stand-alone OCSP:
-
SSL Server Certificate
-
Note
|
For administration purposes, this cloned OCSP will utilize the Administration Certificate that was signed and issued for the OCSP master. |