[Ejbca-develop] Deleting the root CA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi!

In our setup we have a root CA which singed two intermediate CA's which then sign some client and webserver certificates to be used internally and by our clients. For reasons of security, we want to remove the root CA from the server, as soon as the intermediate CAs are signed. The root CA will be stored in  physical safe so we have it available in case we need it again.

So if I just remove the RootCA from "ejbca" will key verification up the issuer chain and similar stuff be still possible? Could I later just add the key again to EJBCA if I e.g. need to revoke the key or sign another intermediate CA?

cheers

nomike