István Fajth created HDDS-7395:
----------------------------------
Summary: Subordinate CA certificate revocation
Key: HDDS-7395
URL: https://issues.apache.org/jira/browse/HDDS-7395
Project: Apache Ozone
Issue Type: Sub-task
Reporter: István Fajth
Assignee: István Fajth
In the event of revoking a subordinate CA certificate, we need to follow a
similar procedure than with the revocation of the rootCA certificate, but it
affects just the certificates that are signed by the to be revoked subordinate
CA certificate.
When we have an internally generated rootCA certificate:
The new subordinate CA certificate does not has to be distributed, it will be
part of the certificate bundles that are provided upon signing new
certificates, and the new subordinate CA certificate will be signed by one of
the existing subordinate CA
certificate.
In this case extra care has to be taken to ensure that when we revoke a
particular subordinate CA certificate, we should not revoke the last one that
is inheriting trust from the existing rootCA certificate. If a revocation
breaks the chain of trust from the existing rootCA certificate, then the rootCA
certificate has to be revoked.
When we have an externally configured rootCA certificate:
the system should use that to sign the new subordinate CA certificate.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
