John Mok wrote: > As the number of PCs are many, it is too difficult, if not impossible, > to install the self-signed certificates of both rootCA1 and rootCA2 as > trusted root CAs on every PCs. > > Is there any better way that to cross-certify both rootCA1 and rootCA2, > such that the machines with certificate signed by subCA1 would trust the > certificates signed by subCA3? and vice versa.
This depends strongly on what applications you want to use the certificates with: If you use the certificates for client authentication to a server, the server has to get the cross certificates to be able to evaluate the client certificate chains (or you might provide the servers with both root certificates). If you use the certificates for email signing & encryption (S/MIME), you still have to distribute the cross certificates with the sent emails (so if a receiver of a mail has trusted root A and the senders certificate is under root B, the mail has to contain the chain from the user to root B plus the cross certificate "A signs B". There might be some applications that do not work properly with cross certificates (sometimes they depend on the order of the certificates in the given certificate chain, sometimes other problems arise). A comprehensive application testing of cross certificates was done in a (public) report of SURFNET and DFN-CERT, you can get the report here: http://www.pca.dfn.de/bibliothek/reports/pki-linking/ It contains a list of applications at the end wich states what works. It is difficult to give you more specific advise without knowing what you want to use the certificates for... Cheers, Olaf -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
