Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-9146

Allow more convenient staging of rollover certificate for colocated SubCA issuer

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Trivial
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Provenance:
      Internal Delivery

      Description

      SCEP allows a transition period for devices where a staged new (rollover) Sub CA certificate can be propagated to devices before being used for leaf certificate issuance.

      (The purpose of the rollover certificate here is not to enable automatic trust in the new certificate if the old one is available. The trust is established by trusting a CA higher up in the chain.)

      Current workflow is centered on leaf certificate issuing CAs that are external, but the issuer of such SubCA could also be colocated. For example:

      • The CA issuer could be inactive except for during renewals
      • The leaf issuer might use less expensive storage but more performant storage for its private keys and hence required to be more short lived.

      In the latter case, automatic creation of the staged new CA certificate could be relevant.

      See also

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              johan Johan Eklund
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: