What is the main problem of the renewal of a root CA certificate?

Last Updated on March 28, 2022 by Admin 3

What is the main problem of the renewal of a root CA certificate?

  • It requires key recovery of all end user keys
  • It requires the authentic distribution of the new root CA certificate to all PKI participants
  • It requires the collection of the old root CA certificates from all the users
  • It requires issuance of the new root CA certificate
Explanation:

The main task here is the authentic distribution of the new root CA certificate as new trust anchor to all the PKI participants (e.g. the users).

In some of the rollover-scenarios there is no automatic way, often explicit assignment of trust from each user is needed, which could be very costly.

Other methods make use of the old root CA certificate for automatic trust establishment (see PKIX-reference), but these solutions works only well for scenarios with currently valid root CA certificates (and not for emergency cases e.g. compromise of the current root CA certificate).

The rollover of the root CA certificate is a specific and delicate problem and therefore are often ignored during PKI deployment.

Reference: Camphausen, I.; Petersen, H.; Stark, C.: Konzepte zum Root CA Zertifikatswechsel, conference Enterprise Security 2002, March 26-27, 2002, Paderborn; RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and CRL Profile.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments