[Pki-devel] assorted sub-CA use case questions

Fraser Tweedale ftweedal at redhat.com
Thu Apr 2 03:47:30 UTC 2015

Hi Christina,

The following questions emerged in recent discussions and work on
sub-CAs.  Your responses will be helpful in working out what work is
needed, and when.

*OCSP signing*

Currently sub-CAs sign OCSP responses with the CA signing
certificate, rather than using the CA cert to sign an OCSP signing
cert and delegating OCSP signing to it.

Question : do you expect customers who use sub-CAs will want to be
able to choose whether sub-CAs have OCSP signing delegate?  If so,
how fine-grained should the control be (instance-wide config,
per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
signing directly by CA acceptable for initial release of sub-CAs)?

*Sub-CA DNs*

There is currently no check that a sub-CA's DN is unique.

Question : should we enforce CA DN uniqueness within the Dogtag

*Sub-CA certificate profile*

Currently sub-CA certificates are created using the `caCert' profile
(the same profile that is used for the self-signed root

Question : how much control over aspects of the sub-CA certificates
will customers need or want?  (e.g. validity period,
pathLenConstraint, nonstandard extensions, etc).  Is using the
`caCert' profile defaults fine for the initial release?

Look forward to your input.


More information about the Pki-devel mailing list