1
<!--#set var="pyca_subtitle" value="Overview"-->
2
<!--#set var="pyca_pagedescription" value="Architectural overview"-->
3
<!--#include file="ssi/head.html"-->
4
<!--#include file="ssi/navigation.html"-->
7
This is an overview of the proposed systems architecure for running pyCA.
8
Note that pyCA implements a certificate authority - not a trust center.
11
No private keys of users are stored by pyCA at any time!
12
The users themselves are responsible for making backup copies of
13
their private keys and certificates!
18
<a name="Systems">Systems</a>
20
The following systems are part of the public-key infrastructure (PKI):
23
<a name="client_system">Client system</a>
26
This is the system of the user accessing the PKI services typically
27
running a Mail, WWW and/or LDAP client software. The user creates the
28
key pairs himself and stores his own private keys.
31
<a name="public_system">Public server system</a>
34
The public server system(s) are holding only public certificate data like
35
issued client-/server certificates and certificate revocation
36
lists (CRLs) and are running Internet services like Mail, WWW and/or LDAP
37
to give users access to the certificate data.<br />
38
No private keys are stored on this system at all.
39
However the systems administrator has to take care about securing
40
this system in the usual manner (firewalls, no other users etc.).
41
The services provided by this system should also be protected by
42
the SSL protocol to ensure some kind of server authentication and integrity.
45
<a name="private_system">Private CA system</a>
48
The private keys of the certificate authority should be hold on a
49
non-networked system which is only accessible by persons authorized to
50
issue certificates (e.g. a notebook put in a safe might be a
51
practical choice). Data exchanged between this system and the
52
<a href="#public_system">public server system</a> is transported with the
53
help of removable media storage devices.<br />
54
If better support for cryptographic devices is available in OpenSSL
55
it is highly recommended that the private key data is stored e.g. on smart cards.
59
<!--#include file="ssi/footer.html"-->