naming all the certs used by the CA
Robert Moskowitz
rgm at htt-consult.com
Mon May 15 16:44:41 UTC 2023
this is the first time in decades I have been doing serious PKi design,,,
I am now looking at the various certificates, each with different
keypairs that the CA uses.
It has its base authorization-to-exist cert that SHOULD rarely be used
other than to sign its other certs.
It has a signing cert for signing the certs of all of its subscribers.
It has a CRL signing cert, well for signing any CRLs it generates.
It may have an OSCP signing cert.
...
The question is what to use for subjectName for all of these? What is
the "common" practice. I have been googling and reading docs all
morning and not finding anything on this subject.
Is the practice to use a lower OU level for these certs below the CA's
base cert?
Are they all named the same (unique_subject=no) with only the
subjectKeyIdentifier different and the CA operator 'knowing' which to
use where, but not (necessarily) outsiders to the CA?
Duplicate subjectName, but something like a policy OID to identify which
is for what?
My search foo is weak, and I have to run off to a dr appt and I really
want to get this part settled today.
Sigh. It is always one more hurdle.
thanks for any pointers. I am just not finding something to read that
gives guidance on best practices for this.
More information about the openssl-users
mailing list