Hey Vladimir, this question goes beyond my expertise with X509 and PKI.
Conceptually ;-) I would say that a way is to do it like PGP: the root CA signs its own certificate revocation. Then, like PGP, you must guard the self-revocation, and in case of private key compromise, you make the self-revocation available. Regarding the mechanism you propose (having root CA_1 sign the revocation of root CA_2), I think you need an non-equivocable way for CA_2 to tell everybody it is delegating revocation capabilities to CA_1. So to me the certificate itself of CA_2 should have a field with something like "trusted revocators" that maps to a certificate (or equivalent) of CA_1. marco On Jun 5, 2012, at 12:12 , Vladimir Belov wrote: > Hi, Marco. > > What can you say(_Conceptually_) about a way to revoke root CA certificates? > They don’t have any CRL distribution points or OCSP responder URLs. But why > is it so? For example another company(another CAs) can sign OCSP responder > certificate for the root certificate and this will be more secure scheme in > comparing with the existing realities. > > Probability of that both private keys of both companies will be compromised > at the same time is too low. > > > Regards, > > Vladimir. > > > > ---------------------------------------------------------------------------------- > From: Marco Molteni > Sent: Tuesday, June 05, 2012 1:35 PM > To: openssl-users@openssl.org > Subject: self-signed certificates vs CA (was: Re: authenticate peer) > What is a CA? _Conceptually_ a CA is nothing more than a self-signed > certificate you trust as an issuer of other certificates :-) > > So, a self-signed certificate doesn't need its own CA. Or, it is the same > thing. > > From a practical point of view, in my opinion the main differences are this: > > Say you have 100 self-signed certificates. You have to put them out of band, > in a secure way, in the N places they will be needed to authenticate the > owners of the associated private keys. > > The day you add the 101st self-signed certificate, you have to put it on the > N places, as before. > > On the other hand, if you have your own root CA, you just have to put once 1 > certificate, the certificate of the root CA, in the N places. > > The day you add the 101st certificate issued by the CA, you don't need to do > anything in the N places. > > If you have a CA, you must guard the private key. A compromise will > compromise _all_ your system. > > If you don't have a CA, you don't have to guard a private key. A compromise > will compromise 1 identity. > > In both cases (CA or not), you probably need a way to revoke certificates. > > > > > On Jun 4, 2012, at 17:07 , Dinh, Thao V CIV NSWCDD, K72 wrote: > > > Please help me to understand more about "SELF SIGNED CERTIFICATES". > > > > Do Self-Signed certificates have to signed at all by its own CA ?? Do we > > have to generate CSR for each client ?? If they do, What is the best way > > to create "Self-Signed Cert" ?? Either > > > > 1. Each client is its own CA > > a. // generate keys and CSR > > openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > > clientreq.pem > > b. // generate cert signed by its own CA > > openssl x509 -req -in clientreq.pem -sha1 -signkey clientkey.pem -out > > clientcert.pem > > > > > > 2. Create one root CA, every client create its own Certificate signed by > > root CA > > > > //create root > > a. openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out > > rootreq.pem > > b. openssl x509 -req -in rootreq.pem -sha1 -signkey rootkey.pem -out > > rootcert.pem > > c. cat rootcert.pem rootkey.pem > root.pem > > > > // create client certificate , signed by common root > > d. openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out > > clientreq.pem > > f. openssl x509 -req -in clientreq.pem -sha1 -CA root.pem -CAkey > > root.pem -signkey -out client.pem > > > > Please help. > > > > Thao > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Marco Molteni Technical Leader - Cisco Media Services Interface ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
