[Pki-users] CErtificate profile validation
Arshad Noor
arshad.noor at strongauth.com
Mon Mar 22 16:42:59 UTC 2010
Technically, it can occur at either or both locations. However, from a business
and operational point-of-view, most PKIs do the verification at the RA. This is
because it allows different RA's to use different policies, procedures and tools
to do the key-generation, verification, etc., before sending the verified CSR to
the CA for signing.
>From an operational point of view, having RAs do the verification allows you to
scale a CA to sign more certificates in a given unit of time if it only had to
sign certificates and CRLs instead of verifying and signing.
Yes, the CA can indeed add all the required constraints/extensions as needed to
the certificate based on the profile, before it signs the CSR.
Arshad Noor
StrongAuth, Inc.
----- Original Message -----
From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
To: pki-users at redhat.com
Sent: Monday, March 22, 2010 9:00:59 AM (GMT-0800) America/Los_Angeles
Subject: [Pki-users] CErtificate profile validation
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list