Separate CA

It is also possible to separate the CA from the EEs (the applicants).

Variant 1: The easy one

Let’s setup a PKI in pki_with_separate_ca_1 with a subdirectory ca (where the CA resides) and a subdirectory ee for the EE certificates:

mkdir -p ~/repositories/pki_with_separate_ca_1 && cd $_ && mkdir ca ee

We just create a server intermediate CA and a server EE in this example. But the procedure is the same for client and user.

In the subdirectory ca, we create our CA:

cd ca
~/repositories/pki_tools/pki -c -a ec
./pki -m -t ca root server
cd ..

We create the local configuration for the server EE server1 and set the path to the parent CA directory explicitly vi pki command line option -p. Watch that a relative path starts from subdirectory example.org_server_server1_ec. If in doubt, use an absolute path.

cd ee
~/repositories/pki_tools/pki -c -a ec
./pki -p ../../ca/example.org_ca_server_ec  -t server server1
cd example.org_server_server1_ec
make

Finally, we can enter the subdirectory example.org_server_server1_ec and create the server EE certificate:

cd ee
cd example.org_server_server1_ec
make

As a conclusion, we just use the pki command line option -p for the separation. This works, because the CA has direct access to the EE and vice versa.

Variant 2: The hard one

Variant 2 describes a PKI, where the CA and the EE are completely separated from each other in a way that the CA cannot make a “house call”. (For example, CA and EE may be located on different systems.)

There is a little bit more to type, because for this variant in the CA environment (on system A) we need a “real” CA and a “proxy” EE, and in the EE environment (on system B) we need a “real” EE and a “proxy” CA.

Let’s setup a PKI in pki_with_separate_ca_2 with a subdirectory ca (where the CA resides) and a subdirectory ee for the EE certificates. Remember: The ee subdirectory may also be located on a different system. (Okay, in our example it’s not.)

mkdir -p ~/repositories/pki_with_separate_ca_2 && cd $_ && mkdir ca ee

In the subdirectory ca (on our hypothetical system A), we create our “real” CA as usual:

cd ca
~/repositories/pki_tools/pki -c -a ec
./pki -m -t ca root server
cd ..

In the subdirectory ee (on our hypothetical system B), we create the local configuration for our “proxy” CA (but only the configuration):

cd ee
~/repositories/pki_tools/pki -c -a ec
./pki -t ca root server

Now, we copy some files from our “real” CA to our “proxy” CA:

cp -ai ../ca/example.org_ca_root_ec/example.org_ca_root_ec_cert.pem example.org_ca_root_ec
cp -ai ../ca/example.org_ca_root_ec/example.org_ca_root_ec_crl.pem example.org_ca_root_ec

cp -ai ../ca/example.org_ca_server_ec/example.org_ca_server_ec_cert.pem example.org_ca_server_ec
cp -ai ../ca/example.org_ca_server_ec/example.org_ca_server_ec-example.org_ca_root_ec_chain.pem example.org_ca_server_ec
cp -ai ../ca/example.org_ca_server_ec/example.org_ca_server_ec_crl.pem example.org_ca_server_ec

In the subdirectory ee (on our hypothetical system B), we create the local configuration for the “real” server EE server1 and create a CSR:

./pki -t server server1
cd example.org_server_server1_ec
make csr

We cannot just enter make, because the CA does not have direct access to the CSR.

In the subdirectory ca (on our hypothetical system A), we create the local configuration for the “proxy” server EE server1:

cd ../../ca
./pki -t server server1
cd example.org_server_server1_ec

In this “proxy” EE, we replace the symlink to Makefile with a symlink to Makefile_ca_cert_only:

ln -sf pki_tools/Makefile_ca_cert_only Makefile

We copy the CSR from the “real” EE” to the “proxy” EE and sign it:

cp -ai ../../ee/example.org_server_server1_ec/example.org_server_server1_ec_csr.pem .
make

Now, where we have the signed certificate for your server1 in the “proxy” EE, we copy the certificate (and its OpenSSL configuration) to the “real” EE:

cp -ai example.org_server_server1_ec_cert.cnf ../../ee/example.org_server_server1_ec
cp -ai example.org_server_server1_ec_cert.pem ../../ee/example.org_server_server1_ec

After that, we enter the directory of our “real” server EE server1 and execute make to create the chain and PKCS files:

cd ../../ee/example.org_server_server1_ec
make

Finally, we are done. Watch that the CSR has been transferred from the “real” EE (inside the EE environment) to the “proxy” EE (inside the CA environment) and that the signed certificate (together with its OpenSSL configuration) has been transferred from the “proxy” EE (inside the CA environment) to the “real” EE (inside the EE environment).

The “proxy” CA (inside the EE environment) contains the CA certificate files, certificate chain files, and revocation lists.

Further EE certificates can be created in the same way.