|
Home > Archive > 70-216 > September 2002 > offline root certificate? what means?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
offline root certificate? what means?
|
|
|
| ... you decide to create an offline root certificate authority (CA)....
what means "offline" here????
sorry | |
| Johnny5Alive 2002-09-10, 2:33 am |
| To have the greatest amount of security with certificates, an offline Root cert should be created.
This means exactly how it sounds, nothing tricky. It IS actually offline. Maybe on a standalone PC disconnected (perhaps physically) from the network.
You shouldn't issue certificates from the root - but instead create a subordinate FROM the root and issue certs from the subordinate. Then take the computer with the root, offline. This way, if the security of the keys etc gets comprimised then it doesn't compromise the Root - only the subordinate - Which you can then REVOKE. If the ROOT gets compromised then you may have larger security issues on your hands.
Sorry, just looked at above text, does that make any sense to you, I think I confused myself. Let me know, I will try explain it again if you want!!
 | |
|
| quote:
Originally posted by Johnny5Alive
To have the greatest amount of security with certificates, an offline Root cert should be created.
This means exactly how it sounds, nothing tricky. It IS actually offline. Maybe on a standalone PC disconnected (perhaps physically) from the network.
You shouldn't issue certificates from the root - but instead create a subordinate FROM the root and issue certs from the subordinate. Then take the computer with the root, offline. This way, if the security of the keys etc gets comprimised then it doesn't compromise the Root - only the subordinate - Which you can then REVOKE. If the ROOT gets compromised then you may have larger security issues on your hands.
Sorry, just looked at above text, does that make any sense to you, I think I confused myself. Let me know, I will try explain it again if you want!!
i donīt understand. If this CA is completely offline (i see on several practice test the option to move phisically the ca server out of the network)....... so how the other subordinates ask for certs to this ca????? if the server is disconected what is the purpose.?????????
for example: verysign have stand alones CA for provide sigantures and certs....... this people have offline CAīs??? i donīt see the objetive....... | |
| Johnny5Alive 2002-09-10, 4:57 am |
| OK...
In a CA hierarchy, all trusts flows from the root. For this reason, the root CA is the most important CA in the hierarchy. If the root CA is compromised, then every certificate in the hierarchy is also compromised. You can maximize the security of the root by keeping the root CA disconnected from the network and using subordinate CAs to issue certificates to other subordinate CAs or to customers.
The key point here is the Root CA should/does not issue the certificates to customers, the SUBORDINATE does this job.
The ROOT issues certificates to the SUBORDINATE CA then taken offline. The SUBORDINATE issues the certificates to the end users. | |
| elio_de_santis 2002-09-10, 5:13 am |
| Wouldn't it be easier to tell that a CA does not have to be online (reachable) for certificates issued to work ?
The client (IE for example) trust the CA as far as the "root CA certificate" is installed (or preinstalled : VeriSign etc) on it.
? | |
|
| seems to me you need to read and understand PKI and CA, then this will become apparent.
http://www.microsoft.com/technet/tr...oy/cryptpki.asp
specifically, about 3/5 of the way down when it address CA and hierarchy.
edit: I should add, that document demonstrate how important the root is interm of the hierarchy. to address your question specifically, how is it done? I don't profess to know how things are done at places like verisign, but in general, you take the floppy into the root *off line* and then process it. this is touched in the document when it talk about root ca needing out of band verification since its certificate is self sign blah blah balh. so read and apply and you will understand. | |
| cm2gj 2002-09-10, 10:41 am |
| quote:
Originally posted by mikop
seems to me you need to read and understand PKI and CA, then this will become apparent.
http://www.microsoft.com/technet/tr...oy/cryptpki.asp
specifically, about 3/5 of the way down when it address CA and hierarchy.
edit: I should add, that document demonstrate how important the root is interm of the hierarchy. to address your question specifically, how is it done? I don't profess to know how things are done at places like verisign, but in general, you take the floppy into the root *off line* and then process it. this is touched in the document when it talk about root ca needing out of band verification since its certificate is self sign blah blah balh. so read and apply and you will understand.
tuff for me. i don`t use CA for nothing and i don`t have experience with CAs. Thanks anyway |
|
|
|
|