[
https://issues.apache.org/jira/browse/HDDS-7395?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
István Fajth updated HDDS-7395:
-------------------------------
Parent: HDDS-7333
Issue Type: Sub-task (was: Improvement)
> Subordinate CA certificate revocation
> -------------------------------------
>
> Key: HDDS-7395
> URL: https://issues.apache.org/jira/browse/HDDS-7395
> Project: Apache Ozone
> Issue Type: Sub-task
> Components: Security
> Reporter: István Fajth
> Assignee: István Fajth
> Priority: Major
> Labels: pki
>
> In the event of revoking a subordinate CA certificate, we need to follow a
> similar procedure than with the revocation of the rootCA certificate, but it
> affects just the certificates that are signed by the to be revoked
> subordinate CA certificate.
> When we have an internally generated rootCA certificate:
> The new subordinate CA certificate does not has to be distributed, it will be
> part of the certificate bundles that are provided upon signing new
> certificates, and the new subordinate CA certificate will be signed by one of
> the existing subordinate CA
> certificate.
> In this case extra care has to be taken to ensure that when we revoke a
> particular subordinate CA certificate, we should not revoke the last one that
> is inheriting trust from the existing rootCA certificate. If a revocation
> breaks the chain of trust from the existing rootCA certificate, then the
> rootCA certificate has to be revoked.
> When we have an externally configured rootCA certificate:
> the system should use that to sign the new subordinate CA certificate.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
