Menu
▾
▴
Re: [Ejbca-develop] Deleting the root CA
|
From: Michael S. <mi...@st...> - 2014-11-24 19:20:41
|
Andreas Kuehne wrote: > your idea to delete the root CA is a bit suprising to me! I would agree > that's a good idea to lock away the private key of the root, preferably > on a smart card or in an encrypted file with different holders of > credential parts. > > Without the root certificate all your chain validations will fail. > Making OCSP requests for the intermediate CA is 'difficult' without > having the issuing certificate at hand ... Andreas, this reveals that you're very much into SigG signature checking. ;-) "Normal" implementations (e.g. Firefox) usually only send OCSP requests for end entities. But you could even remove the root CA key if the root CA issued a OCSP responder cert with separate key pair (OCSP delegation). Ciao, Michael. |
