ejbca-develop Mailing List for EJBCA, JEE PKI Certificate Authority (Page 47)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Michael Postmann wrote:
> In our setup we have a root CA which singed two intermediate CA's which
> then sign some client and webserver certificates to be used internally and
> by our clients. For reasons of security, we want to remove the root CA from
> the server, as soon as the intermediate CAs are signed. The root CA will be
> stored in  physical safe so we have it available in case we need it again.

An off-line root CA key.

> So if I just remove the RootCA from "ejbca" will key verification up the
> issuer chain and similar stuff be still possible? Could I later just add
> the key again to EJBCA if I e.g. need to revoke the key or sign another
> intermediate CA?

It very much depends on what "key verification" means.
(You probably mean cert validation.)

Of course simple checks along the public-key cert chain will work.
The tricky part is the revocation check. It depends on what your relying party
software expects.

E.g. issuing a CRL every few months is very easy with a temporarily actived
root CA key.

But if you have client software which can only do revocation checks via OCSP
*and* does *not* support delegated OCSP signing keys you're lost.

Ciao, Michael.

2001	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec (3)
2002	Jan (3)	Feb (2)	Mar (8)	Apr (3)	May (6)	Jun (1)	Jul (15)	Aug (6)	Sep	Oct (10)	Nov (2)	Dec (4)
2003	Jan (1)	Feb (7)	Mar (3)	Apr (6)	May (7)	Jun (5)	Jul (5)	Aug (25)	Sep (14)	Oct (2)	Nov	Dec (2)
2004	Jan (7)	Feb (4)	Mar (12)	Apr (16)	May (43)	Jun (56)	Jul (43)	Aug (40)	Sep (66)	Oct (12)	Nov (26)	Dec (10)
2005	Jan (13)	Feb (33)	Mar (16)	Apr (7)	May (10)	Jun (34)	Jul (41)	Aug (8)	Sep (4)	Oct (32)	Nov (20)	Dec (25)
2006	Jan (30)	Feb (101)	Mar (5)	Apr (75)	May (74)	Jun (22)	Jul (6)	Aug (70)	Sep (19)	Oct (21)	Nov (31)	Dec (50)
2007	Jan (15)	Feb (20)	Mar (24)	Apr (33)	May (13)	Jun (18)	Jul (13)	Aug (7)	Sep (63)	Oct (68)	Nov (29)	Dec (68)
2008	Jan (30)	Feb (33)	Mar (30)	Apr (103)	May (78)	Jun (48)	Jul (72)	Aug (24)	Sep (62)	Oct (63)	Nov (70)	Dec (37)
2009	Jan (34)	Feb (35)	Mar (64)	Apr (34)	May (34)	Jun (58)	Jul (30)	Aug (30)	Sep (46)	Oct (52)	Nov (12)	Dec (23)
2010	Jan (121)	Feb (18)	Mar (53)	Apr (62)	May (62)	Jun (20)	Jul (33)	Aug (20)	Sep (36)	Oct (35)	Nov (44)	Dec (63)
2011	Jan (19)	Feb (32)	Mar (94)	Apr (41)	May (47)	Jun (25)	Jul (34)	Aug (20)	Sep (9)	Oct (41)	Nov (33)	Dec (24)
2012	Jan (12)	Feb (36)	Mar (48)	Apr (32)	May (20)	Jun (15)	Jul (32)	Aug (13)	Sep (33)	Oct (54)	Nov (25)	Dec (16)
2013	Jan (45)	Feb (39)	Mar (38)	Apr (50)	May (29)	Jun (30)	Jul (33)	Aug (12)	Sep (9)	Oct (25)	Nov (29)	Dec (20)
2014	Jan (25)	Feb (19)	Mar (16)	Apr (33)	May (27)	Jun (37)	Jul (29)	Aug (27)	Sep (37)	Oct (58)	Nov (109)	Dec (26)
2015	Jan (4)	Feb (35)	Mar (22)	Apr (35)	May (28)	Jun (20)	Jul (4)	Aug (16)	Sep (37)	Oct (13)	Nov (13)	Dec (14)
2016	Jan (22)	Feb (7)	Mar (23)	Apr (30)	May (10)	Jun (10)	Jul (15)	Aug (12)	Sep (22)	Oct (31)	Nov (5)	Dec (5)
2017	Jan (30)	Feb (25)	Mar (28)	Apr (4)	May (19)	Jun (13)	Jul (7)	Aug (1)	Sep (2)	Oct (5)	Nov (12)	Dec (2)
2018	Jan (7)	Feb	Mar (7)	Apr (2)	May (8)	Jun (18)	Jul (6)	Aug (3)	Sep (15)	Oct (33)	Nov (13)	Dec (7)
2019	Jan (5)	Feb (7)	Mar (30)	Apr (5)	May (4)	Jun (69)	Jul (86)	Aug (22)	Sep (6)	Oct (7)	Nov (5)	Dec (3)
2020	Jan (10)	Feb (12)	Mar (22)	Apr (5)	May (1)	Jun (4)	Jul (6)	Aug	Sep (9)	Oct	Nov	Dec (1)
2021	Jan (4)	Feb (11)	Mar (7)	Apr (7)	May	Jun (3)	Jul (10)	Aug (6)	Sep	Oct	Nov (18)	Dec (2)
2022	Jan (1)	Feb (1)	Mar	Apr	May	Jun (2)	Jul	Aug (4)	Sep	Oct	Nov	Dec
2023	Jan	Feb	Mar	Apr (1)	May (1)	Jun	Jul	Aug (5)	Sep	Oct	Nov	Dec

ejbca-develop Mailing List for EJBCA, JEE PKI Certificate Authority (Page 47)

ejbca-develop — Development discussions