CA Architecture

mbrossar · Jun 30, 2014, 6:40 PM

I'm just getting started setting up a Certificate Authority Architecture. I may have some mis-understandings, but from what I've read, it looks like…

I want to set up a central CA that signs for a set of Intermediate Certificate Authorities (ICAs).
My CA should not sign individual certificates. It should only vouch for my ICAs.
All of my certificates are signed by an appropriate ICA.

I have a few sites that I am working on connecting via site to site VPNs using pfSense boxes. I am thinking about leveraging the CA functionality within pfSense. My question is, can I create an ICA on a site that refers to a CA that's on another site, at the end of a tunnel or does an ICA need to be on the same box as its CA?

MindfulCoyote · Jun 30, 2014, 7:21 PM

@mbrossar:

I want to set up a central CA that signs for a set of Intermediate Certificate Authorities (ICAs).

@mbrossar:

My CA should not sign individual certificates. It should only vouch for my ICAs.

@mbrossar:

All of my certificates are signed by an appropriate ICA.

@mbrossar:

I have a few sites that I am working on connecting via site to site VPNs using pfSense boxes. I am thinking about leveraging the CA functionality within pfSense. My question is, can I create an ICA on a site that refers to a CA that's on another site, at the end of a tunnel or does an ICA need to be on the same box as its CA?