At the risk of being immodest, you might find this column useful: http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html
This is a verbatim quote from the text at that URL:
> The root will sign the Level 1 CA and then be taken offline. > Anyone who wants to validate any identity within our organization > only needs to have our root certificate. If the enterprise merges ...........................................======================== > or joins a commercial PKI (such as Identrus), then we only need ================================================================= > to get the root certificate signed by our new "super root". =============================================================
Now, I've seen this (kind of) quote over and over again from the theoreticians of PKI, but as a practical implementor I've never really understood how things could be quite this simple. Perhaps it would be edifying if somebody who's been in this stuff more than just a few years could straighten me out.
The example PKI from that article has only one intermediate certificate (called the "Level 1 CA") so there would seem to be only two possible configurations for an SSL server operating under this example: either the server has a two-certificate chain (the L1 certificate and the end-user certificate for the server itself) or a three-certificate chain (above plus ROOT CA).
Now, what has to happen at EACH server in the enterprise when doing a transition from this local CA to a "commercial PKI (such as Identrus)"????
If (without loss of generality) Identrus signs the pre-existing root certificate, that produces a new root certificate, although it contains the same public key as the pre-existing root.
In the two-certificate case above, nothing needs to be done to the server, since it never had the root in the first place. In the three-certificate case, the new root certificate (signed by Identrus instead of "signed by itself" (self-signed)) must be installed on every server. I understand this.
HOWEVER, what now happens at the client? In the two-certificate case, the client lacks the critical link from L1 to the Identrus root it already have (came installed in the browser) so in this case we need to visit every server and convert it from the two-certificate to the three-certificate configuration to get the "missing link" available to the client? In the three-certificate case do we need to replace the self-signed root in every server with the "missing link" certificate?
In any case, it seems like we must do something explicit at every server in the enterprise. Am I missing something here?
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
