[HDDS-7395] Subordinate CA certificate revocation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
- pki

Description

In the event of revoking a subordinate CA certificate, we need to follow a similar procedure than with the revocation of the rootCA certificate, but it affects just the certificates that are signed by the to be revoked subordinate CA certificate.

When we have an internally generated rootCA certificate:
The new subordinate CA certificate does not has to be distributed, it will be part of the certificate bundles that are provided upon signing new certificates, and the new subordinate CA certificate will be signed by one of the existing subordinate CA
certificate.
In this case extra care has to be taken to ensure that when we revoke a particular subordinate CA certificate, we should not revoke the last one that is inheriting trust from the existing rootCA certificate. If a revocation breaks the chain of trust from the existing rootCA certificate, then the rootCA certificate has to be revoked.

When we have an externally configured rootCA certificate:
the system should use that to sign the new subordinate CA certificate.

Attachments

Activity

People

Assignee:: István Fajth

Reporter:: István Fajth

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Oct/22 11:55

Updated:: 10/May/23 13:15