Re: [Ejbca-develop] Deleting the root CA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Michael Postmann wrote:
> In our setup we have a root CA which singed two intermediate CA's which
> then sign some client and webserver certificates to be used internally and
> by our clients. For reasons of security, we want to remove the root CA from
> the server, as soon as the intermediate CAs are signed. The root CA will be
> stored in  physical safe so we have it available in case we need it again.

An off-line root CA key.

> So if I just remove the RootCA from "ejbca" will key verification up the
> issuer chain and similar stuff be still possible? Could I later just add
> the key again to EJBCA if I e.g. need to revoke the key or sign another
> intermediate CA?

It very much depends on what "key verification" means.
(You probably mean cert validation.)

Of course simple checks along the public-key cert chain will work.
The tricky part is the revocation check. It depends on what your relying party
software expects.

E.g. issuing a CRL every few months is very easy with a temporarily actived
root CA key.

But if you have client software which can only do revocation checks via OCSP
*and* does *not* support delegated OCSP signing keys you're lost.

Ciao, Michael.