naming all the certs used by the CA

Robert Moskowitz rgm at htt-consult.com
Mon May 15 16:44:41 UTC 2023


this is the first time in decades I have been doing serious PKi design,,,

I am now looking at the various certificates, each with different 
keypairs that the CA uses.

It has its base authorization-to-exist cert that SHOULD rarely be used 
other than to sign its other certs.

It has a signing cert for signing the certs of all of its subscribers.
It has a CRL signing cert, well for signing any CRLs it generates.
It may have an OSCP signing cert.
...

The question is what to use for subjectName for all of these?  What is 
the "common" practice.  I have been googling and reading docs all 
morning and not finding anything on this subject.

Is the practice to use a lower OU level for these certs below the CA's 
base cert?
Are they all named the same (unique_subject=no) with only the 
subjectKeyIdentifier different and the CA operator 'knowing' which to 
use where, but not (necessarily) outsiders to the CA?

Duplicate subjectName, but something like a policy OID to identify which 
is for what?

My search foo is weak, and I have to run off to a dr appt and I really 
want to get this part settled today.

Sigh.  It is always one more hurdle.

thanks for any pointers.  I am just not finding something to read that 
gives guidance on best practices for this.





More information about the openssl-users mailing list