Menu
▾
▴
Re: [Ejbca-develop] Deleting the root CA
|
From: Andreas K. <ku...@tr...> - 2014-11-24 13:19:16
|
Hi Michael, your idea to delete the root CA is a bit suprising to me! I would agree that's a good idea to lock away the private key of the root, preferably on a smart card or in an encrypted file with different holders of credential parts. Without the root certificate all your chain validations will fail. Making OCSP requests for the intermediate CA is 'difficult' without having the issuing certificate at hand ... What do you want to achieve by 'deleting' the CA? Greetings, Andreas > Hi! > > In our setup we have a root CA which singed two intermediate CA's which then sign some client and webserver certificates to be used internally and by our clients. For reasons of security, we want to remove the root CA from the server, as soon as the intermediate CAs are signed. The root CA will be stored in physical safe so we have it available in case we need it again. > > So if I just remove the RootCA from "ejbca" will key verification up the issuer chain and similar stuff be still possible? Could I later just add the key again to EJBCA if I e.g. need to revoke the key or sign another intermediate CA? > > cheers > > nomike > > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop -- Andreas Kühne phone: +49 177 293 24 97 mailto: ku...@tr... Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868 Directors Andreas Kühne, Heiko Veit Company UK Company No: 5218868 Registered in England and Wales |
