Hi, Some background information may be useful here:
When importing a certificate into the OpenXPKI database, the system tries to build a certificate chain up to a know Root CA certificate. If no chain can be built, import is refused (there are ways to override this, though). For chain building, the system automatically references Root CA certificates from its entire database, from all PKI Realms. For chain building it does not matter where (in which realm) the Root CA certificate is actually located. Typically Root CAs are not managed by OpenXPKI, but rather in an offline environment, so normally there is no PKI Realm hosting the (active) Root CA. In that case Root CA certificates are normally only used to establish a trust relationship by relying parties, and they are *technically* not needed for the actual operation of a subordinate CA. We wanted to make sure that the resulting CA hierarchy is somewhat consistent, so when setting up an OpenXPKI PKI Realm as a subordinate Issuing CA, the system needs the corresponding Root CA certificate when importing the CA Signer token certificate. The Root CA certificate is - as mentioned - only used for chain building and trust management, and it may also be used/referenced by other PKI Realms. So the Root CA certificate has to be in the database somewhere. We decided that a "Null" PKI Realm is the proper place to import such certificates. Certificates in the "Null" Realm can be implicitly referenced by all other realms but do not serve an active purpose. Now some information I seem to get between the lines from your previous communication. I may be wrong, but you mentioned the Root CA key in the context of the OpenXPKI setup. This sounds a bit strange, as it seems to imply that you also run the Root CA as an OpenXPKI PKI Realm. We do not recommend to run a Root CA on an online system, but technically this works just fine. Now, if you actually have an active Root CA PKI Realm in which you issue Issuing CA certificates, this Realm also keeps the Root CA certificate. In this particular case, the Root CA certificate is already in the database, and other PKI Realms will automatically be able to reference is for completing certificate chains. Listing the signer certs in THIS Root CA realm will then show the Root CA certificate. In other words, in normal setups the Root CA certificates are imported into the null realm, because they are passively needed for chain building. In a case where an active Root CA realm exists, this is not necessary, as the system already knows the Root CA certificate from this realm. In addition, I noticed that you seem to have a year specification in the name of an Issuing CA. This may imply that you intend to add additional Realms for future "versions" of this Issuing CA. Although this works, this is not how we recommend to set up OpenXPKI, as it contains proper mechanisms to handle a seamless CA rollover within the same PKI Realm. You just import new signers to the Realm and it can live forever. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
