Highlighted
Honored Contributor.
Honored Contributor.
168 views

eDirectory PKI and Intermediate CA

Best practice now for issuing certs is to always issue them from an Intermediate CA, not the Root CA.  The eDir PKI, as far as I can tell, only allows for a single root CA.  Is there a way to use an Intermediate CA with eDir?  I thought maybe create a separate tree and CA and use that to issue the Intermediate and then keep it offline/isolated.  Would something like that work?  I know the Microsoft PKI has extensive documentation on how to do this with their PKI.

 

Matt

 

Labels (1)
0 Likes
2 Replies
Highlighted
Super Contributor.
Super Contributor.

Re: eDirectory PKI and Intermediate CA

There are all kinds of possible combinations out there....

 

Some people will baulk at what I've done, but I've created a root CA and an intermediate CA with openssl then imported the intermediate into eDir...

 

When a business is mature enough for internal CAs, then its likely they would have some sort of HSM that would have all the policies and controls around it and it would be more likely that it would be used to sign certificates required by eDirectory rather than relying on eDirectory's CA component.

_____________
Bernard: "Of course, in the service, CMG stands for Call Me God. And KCMG for Kindly Call Me God."
Hacker: "What about GCMG?"
Bernard: "God Calls Me God."
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: eDirectory PKI and Intermediate CA

 

>Some people will baulk at what I've done, but I've created a root CA and an intermediate CA with openssl then imported the intermediate into eDir...

I'm kinda thinking the same thing but use a standalone eDir to hold the root CA.  I think it would work.

>When a business is mature enough for internal CAs, then its likely they would have some sort of HSM that >would have all the policies and controls around it and it would be more likely that it would be used to sign >certificates required by eDirectory rather than relying on eDirectory's CA component.

Agreed.  But it would be nice to have the option to use eDir's PKI for this for limited use scenarios.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.