hs_pki/design/hs_pki_ldap

ou=Peoples,dc=hackerspace,dc=pl
ou=Services,dc=hackerspace,dc=pl
ou=Group,dc=hackerspace,dc=pl

#Root of PKI
cn=PKI,ou=Services,dc=hackerspace,dc=pl

# Certificate templates (access for server ro, KC rw)
ou=Templates,ou=Certificate,cn=PKI,ou=Services,dc=hackerspace,dc=pl

# Authoritative Information Extension (CA bundle; all CA certificates are published here,
# each CA has it's own subtree here)
cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
cn=CA1,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
cn=CA2,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
...

# PKI KC certs store (rw for servers, ro for KC):
cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
uid=enleth,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
uid=cranix,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl
uid=q3k,cn=KC,cn=AIA,cn=PKI,ou=Services,dc=hackerspace,dc=pl

# CRL Distribution Points - each CA has its own
cn=CDP,cn=PKI,ou=Services,dc=hackerspace,dc=pl
cn=CA1,cn=CA1,cn=PKI,ou=Services,dc=hackerspace,dc=pl
cn=CA2,cn=CA2,cn=PKI,ou=Services,dc=hackerspace,dc=pl
...

# Issued certificates
cn=Certificates,cn=PKI,ou=Services,dc=hackerspace,dc=pl
uid=d3llf,cn=Certificates,cn=PKI,ou=Services,dc=hackerspace,dc=pl

# End user certificates
cn=People,cn=Certificates,cn=PKI,ou=Services,dc=hackerspace,dc=pl

# Application certificates
cn=App1,cn=Certificates,cn=PKI,ou=Services,dc=hackerspace,dc=pl
cn=App2,cn=Certificates,cn=PKI,ou=Services,dc=hackerspace,dc=pl
...