Menu
▾
▴
Re: [Ejbca-develop] Deleting the root CA
|
From: Branko M. <br...@ma...> - 2014-11-28 14:59:16
|
On Mon, 24 Nov 2014 12:52:47 +0000 Michael Postmann <M.P...@pa...> wrote: > Hi! > > In our setup we have a root CA which singed two intermediate CA's which then sign some client and webserver certificates to be used internally and by our clients. For reasons of security, we want to remove the root CA from the server, as soon as the intermediate CAs are signed. The root CA will be stored in physical safe so we have it available in case we need it again. > > So if I just remove the RootCA from "ejbca" will key verification up the issuer chain and similar stuff be still possible? Could I later just add the key again to EJBCA if I e.g. need to revoke the key or sign another intermediate CA? > > cheers > > nomike > The simplest thing would be to keep root CA on a separate server. This server would be offline, eventually connected to one admin workstation. Otherwise, you could try making the key material for root CA stored on an HSM that you need to plug-in into the machine etc. I.e. make it available only when explicitly needed. Keep in mind, though, that someone could crack your CA server, deploy some payload to wait for the root CA key to be usable, and then sign whatever they need. So, in general, offline root CA is the best practice for most scenarios. If you _remove_ root CA from EJBCA, you would need to import it via CLI later on if you want to use it. This is not the most common thing to do. You can always import the root CA certificate as external CA into the system if you need the chain, btw. Best regards -- Branko Majic Jabber: br...@ma... Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: br...@ma... Молим вас да додатке шаљете искључиво у слободним форматима. |