naming all the certs used by the CA
Mike Bomba
mike.bomba.az at gmail.com
Tue May 16 04:21:09 UTC 2023
>From memory, the root signing certificate is a self signed certificate and
is used as the root of trust for any PKI. The root ca server (RA) should
never go online and it's purpose is to issue signing certificates for
Intermediate Certificate Authorities. These ICAs are used to issue
certificates for a variety of purposes including TLS encryption and
identification. Many years ago, the Subject of a certificate used for TLS
held the FQDN for the associated server. Some older browsers may still
expect this behavior. Today the Subject Alternate Name (SAN) attribute in a
certificate is much more critical than the Subject name. Distinguished Name
is always (as far as I know) a structured value and is used to determine
identification of the entity the certificate is issued to. The uniqueness
of a certificate is based on ICA + Serial Number.
A good starting point to read about x509 certificates is
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/certificate-concepts/ba-p/395181
If you intend to create your own private PKI service, you will need to add
the certificate authority hierarchy (RA and ICAs) to the devices that need
to trust that certificate. Even after doing that, there may be some
browsers that do not automatically trust a new root CA added to the
system's certificate store.
On Mon, May 15, 2023, 9:45 AM Robert Moskowitz <rgm at htt-consult.com> wrote:
> this is the first time in decades I have been doing serious PKi design,,,
>
> I am now looking at the various certificates, each with different
> keypairs that the CA uses.
>
> It has its base authorization-to-exist cert that SHOULD rarely be used
> other than to sign its other certs.
>
> It has a signing cert for signing the certs of all of its subscribers.
> It has a CRL signing cert, well for signing any CRLs it generates.
> It may have an OSCP signing cert.
> ...
>
> The question is what to use for subjectName for all of these? What is
> the "common" practice. I have been googling and reading docs all
> morning and not finding anything on this subject.
>
> Is the practice to use a lower OU level for these certs below the CA's
> base cert?
> Are they all named the same (unique_subject=no) with only the
> subjectKeyIdentifier different and the CA operator 'knowing' which to
> use where, but not (necessarily) outsiders to the CA?
>
> Duplicate subjectName, but something like a policy OID to identify which
> is for what?
>
> My search foo is weak, and I have to run off to a dr appt and I really
> want to get this part settled today.
>
> Sigh. It is always one more hurdle.
>
> thanks for any pointers. I am just not finding something to read that
> gives guidance on best practices for this.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230515/40086545/attachment.htm>
More information about the openssl-users
mailing list