Menu
▾
▴
Re: [Ejbca-develop] Deleting the root CA
|
From: Michael P. <M.P...@pa...> - 2014-11-25 10:43:48
|
Sorry for the delay in my answer which is due to the time shift. The intention was to make the system more secure. So if the system gets compromised, the attacker would only have access to the intermediate CA's which have a way shorter lifespan (5 years) compared to the root CA (20 years). I don't have much experience in running a PKI, so please bear with me if I mix up some terms. But if you say I'd run into troubles with that, I'm happy to leave the root CA on the server. regards nomike -----Ursprüngliche Nachricht----- Von: Michael Ströder [mailto:mi...@st...] Gesendet: Montag, 24. November 2014 20:47 An: ejb...@li... Betreff: Re: [Ejbca-develop] Deleting the root CA Andreas Kuehne wrote: > Hi again, Michael! >> Michael Postmann wrote: >>> In our setup we have a root CA which singed two intermediate CA's >>> which then sign some client and webserver certificates to be used >>> internally and by our clients. For reasons of security, we want to >>> remove the root CA from the server, as soon as the intermediate CAs >>> are signed. The root CA will be stored in physical safe so we have it available in case we need it again. >> An off-line root CA key. > He doesn't talk about deleting keys, he talks about deleting CAs! > Iirc this isn't possible anyway ... Probably the original poster should clarify what he really wants. Ciao, Michael. |
