Menu
▾
▴
Re: [Ejbca-develop] Deleting the root CA
|
From: Andreas K. <ku...@tr...> - 2014-11-25 11:36:23
|
Hi Michael, > Sorry for the delay in my answer which is due to the time shift. greetings to America! > The intention was to make the system more secure. > > So if the system gets compromised, the attacker would only have access to the intermediate CA's which have a way shorter lifespan (5 years) compared to the root CA (20 years). > > I don't have much experience in running a PKI, so please bear with me if I mix up some terms. No problem, you are heading in the right direction! But you have to distinct between the 'Root CA' as an artefact within the ejbca and its private key. If you are thinking about validities of 20 years it makes perfect sense to use some kind of hardware device (token or HSM) to keep the root key in a safe place with option to separate it from system. But this separation does not require a 'deletion' of the 'Root CA'. It's no problem to have the administrative information and the root's certificate in place. The crucial point is to disable the use of the private key! This could be done easily with hardware (as mentioned above) or using an encrypted key file, decrypted only for CA signing purposes. Both approaches have their pros and cons: Hardware may fail over time, replacement hardware maybe unavailable, hardware hacked ... The decrypted file uncovers the most precious key material to be copied by a trojan, a disgruntled employee ... or someone simply forgets to delete is safely. > But if you say I'd run into troubles with that, I'm happy to leave the root CA on the server. Leave the 'Root CA' on the server, but do care about the key material! I outlined some options ... any option has their specific downside ... it's up to you ... Greetings, Andreas > regards > nomike > > -----Ursprüngliche Nachricht----- > Von: Michael Ströder [mailto:mi...@st...] > Gesendet: Montag, 24. November 2014 20:47 > An: ejb...@li... > Betreff: Re: [Ejbca-develop] Deleting the root CA > > Andreas Kuehne wrote: >> Hi again, Michael! >>> Michael Postmann wrote: >>>> In our setup we have a root CA which singed two intermediate CA's >>>> which then sign some client and webserver certificates to be used >>>> internally and by our clients. For reasons of security, we want to >>>> remove the root CA from the server, as soon as the intermediate CAs >>>> are signed. The root CA will be stored in physical safe so we have it available in case we need it again. >>> An off-line root CA key. >> He doesn't talk about deleting keys, he talks about deleting CAs! >> Iirc this isn't possible anyway ... > Probably the original poster should clarify what he really wants. > > Ciao, Michael. > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- Andreas Kühne phone: +49 177 293 24 97 mailto: ku...@tr... Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868 Directors Andreas Kühne, Heiko Veit Company UK Company No: 5218868 Registered in England and Wales |
