One used to be able to cross certify both branch and leaf entities such as:
O to O or
O to OU or
OU to OU or
OU to Server or
Server to Server
ND6 will not allow one to use a Server ID to issue a cross certification. This seems to take a huge bite out of the granularity argument. If my server OU cross certifies server A in another organization, ALL of my servers in the server OU would also cross certify that other organization’s server.
I really hope I’m missing something here, but I’ve looked and cannot find a work around?
Do I need to keep an R5 client/administrator around?
Subject: Haven’t seen this?
I have created several cross certificates from the ND6 Admin client and I don’t seem to have your problem. After I’ve selected my certifier ID and the ID to be certified, In the ‘Issue cross certificate’ box, the Subject Name field is a drop down menu where I can choose the O, OU/O or CN/OU/O of the id to be certified.
Subject: RE: Haven’t seen this?
After I’ve selected my certifier ID
This tells it all. You have to now have a certifier, not an end entity (EE) to issue the cross certification. Why would I in essence want to have my entire server OU or my entire O to trust this outside entity?
Subject: RE: Haven’t seen this?
Ok, so it will allow the EE to be used, but the CA process has certainly provided a challenge in the process here.
When using the CA process, an ID file is created before it is certified. That ID file, in our organization, is stored for backup, and apparently does not update after the Public Key is certified by the CA. We take the backup to the server for installation. That copy of the ID is then updated and certified with the correct information. Our backup copy was all but useless. Had a catastrophe occurred, and we needed the backup, the one on the server would have been the one to have. Lessons learned. We now have those backups, and have removed the useless ones.
My apologies for the interuption, but you may want to take note here.