Hi and Happy NY,
A couple of ideas for PKI design with mixed crypto algorithms, you might
want to consider.
Both are allowed by:PKI related RFCs, legislature of most countries, and
by (perhaps slightly hacked) openxpki software.
Suppose your community makes use of two different crypto algorithms: a1
and a2.
SubCA1 has a key for a1.
SubCA2 has a key for a2.
Idea 1.
RootCA signs a key for SubCA1 (thus creating a cert) with a2.
RootCA signs a key for SubCA2 (thus creating a cert) with a2 too.
Here you are returning a trust from a1 to a2 at the level of RootCA,
which issues only a2 certs.
Idea 2.
RootCA1 signs a key for SubCA1 (thus creating a cert) with a1.
RootCA2 signs a key for SubCA2 (thus creating a cert) with a2.
RootCA1 signs a key for RootCA2 (thus creating a cross-cert) with a1.
RootCA2 signs a key for RootCA1 (thus creating a cross-cert) with a2.
Here you have two algorithms (a1 and a2) of the same rights.
And you can consider either of the algorithms to be "the ultimate root
of trust".
Regards, Sergei
On 3 Jan 24 Wed 9:37, Thomas Lønskov Luther via OpenXPKI-users wrote:
On Tue, 2 Jan 2024 at 17:22, Martin Bartosch <[email protected]> wrote:
Happy New Year everyone!
> We are running a setup with OpenXPKI with a single Root CA (RSA
private key) and a couple of intermediate/subordinate CA (all with
EC private keys).
>
> Now we have hit a problem where a 3rd party product should act
as a separate CA but still we want to maintain the trust back to
our root ca. This is working fine with our subordinate CA on other
platforms, but this platform requires the signing key being a RSA
key and not a EC key.
>
> Now I can perfectly fine create a new realm with a RSA key
(tested ok) however, would it be possible to have multiple private
keys on a single realm? For example that our Sub CA will sign CSRs
based on a RSA private key with a RSA key and EC requests with the
EC key?
As you mentioned, OpenXPKI supports certificates with both EC and
RSA keys, and this is generally true on all "certificate levels":
The active Issuing CA within a PKI Realm can itself be based on an
RSA or an EC key and it can issue EC or RSA certificates.
Apart from that, OpenXPKI supports any number of Issuing CAs
within one single PKI Realm. However, the idea here is that only
one of these Issuing CAs is active at any given time, so this
feature is used to support seamless Issuing CA rollovers where a
newer Issuing CA completely takes over issuance of certificates
and the older CAs within the Realm are in passive mode, issuing
CRLs only.
Now, if I understand you correctly you want to have two distinct
Issuing CA certificates which are valid and concurrently active at
the same time within a PKI Realm, with both actively issuing
certificates.
Correct
This is not supported with the standard workflows within OpenXPKI,
and I don't see it as a feature that is useful in general.
My recommendation is to use two different Realms with different
Issuing CAs below the same Root CA instead.
Ok, thats what I thought, but I just wanted to be sure that there
wasn't a "hidden" feature that would allow for this rather special
case :-) I'll create a new realm and make this RSA based.
It is of course possible to modify/customize the workflows in a
way that this would work, but this requires analysis, design and
implementation to do this right (and my gut feeling is that while
doing so some nasty gotchas might appear).
Yeah, I'd rather not make anything hacky on this setup, it will most
definitely bite me later on during in upgrade or other changes to the
system.
Cheers
Martin
Thanks for your reply.
Thomas
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
