1

I am generating a CA for internal use. When generating a CA, the best practice I have observed is to keep the root CA offline and emit an intermediate CA certificate that will in turn emit the end-user certificates. This way, a compromise of the intermediate CA key can be recovered by revoking that intermediate CA and generating a new one.

I see, however, CRL files need to be renewed regularly (eg. daily), which would require the root CA keys to be used. But the main goal of all this is to keep the CA keys offline. What is the best practice here?

Is there the possibility of using a separate key for CRL signing? If so, how would I do this? Question is not OpenSSL-specific but I'm using OpenSSL in case you want to provide examples.

gimix
  • 111
  • 4

1 Answers1

2

At some point your Root CA has to have control over it's subordinate CAs. If there was a scheme where it delegates this control to another server (such as your OCSP-like suggestion), the Root CA would still need to have control over this service in some way or another. In order to assert this control you would at some point need to power up the Root CA. A scheme where the Root CA delegates full control to another service would mean that the Root CA effectively loses control; which is not what you want.

The standard way is to have the Root CA generate long-lifed CRLs. This is relatively safe as the only certificates it issues are to a very few subordinate CAs and these CAs are (should be) securely operated in accordance with the PKI's Certificate Policy with a statement describing this operation in the CA's Certification Practice Statement.

Therefore, every (for example) six months:

  1. Switch on the Root CA;
  2. Generate a new CRL;
  3. Export the CRL (for example using a CD/DVD burner);
  4. Switch off the Root CA.

This process should be formalised and if you have concerns about someone running away with a copy of your Root CA's private key, your PKI Management Authority can/should insist on the use of witnesses and/or CCTV or any other scheme it deems fit.

garethTheRed
  • 256
  • 1
  • 7