CA Architecture



  • I'm just getting started setting up a Certificate Authority Architecture.  I may have some mis-understandings, but from what I've read, it looks like…

    • I want to set up a central CA that signs for a set of Intermediate Certificate Authorities (ICAs).

    • My CA should not sign individual certificates.  It should only vouch for my ICAs.

    • All of my certificates are signed by an appropriate ICA.

    I have a few sites that I am working on connecting via site to site VPNs using pfSense boxes.  I am thinking about leveraging the CA functionality within pfSense.  My question is, can I create an ICA on a site that refers to a CA that's on another site, at the end of a tunnel or does an ICA need to be on the same box as its CA?



  • @mbrossar:

    • I want to set up a central CA that signs for a set of Intermediate Certificate Authorities (ICAs).

    @mbrossar:

    • My CA should not sign individual certificates.  It should only vouch for my ICAs.

    @mbrossar:

    • All of my certificates are signed by an appropriate ICA.

    @mbrossar:

    I have a few sites that I am working on connecting via site to site VPNs using pfSense boxes.  I am thinking about leveraging the CA functionality within pfSense.  My question is, can I create an ICA on a site that refers to a CA that's on another site, at the end of a tunnel or does an ICA need to be on the same box as its CA?


Log in to reply