[jira] [Updated] (HDDS-7395) Subordinate CA certificate revocation

["István Fajth (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/HDDS-7395?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

István Fajth updated HDDS-7395:
-------------------------------
        Parent:     (was: HDDS-7334)
    Issue Type: Improvement  (was: Sub-task)

> Subordinate CA certificate revocation
> -------------------------------------
>
>                 Key: HDDS-7395
>                 URL: https://issues.apache.org/jira/browse/HDDS-7395
>             Project: Apache Ozone
>          Issue Type: Improvement
>            Reporter: István Fajth
>            Assignee: István Fajth
>            Priority: Major
>
> In the event of revoking a subordinate CA certificate, we need to follow a similar procedure than with the revocation of the rootCA certificate, but it affects just the certificates that are signed by the to be revoked subordinate CA certificate.
> When we have an internally generated rootCA certificate:
> The new subordinate CA certificate does not has to be distributed, it will be part of the certificate bundles that are provided upon signing new certificates, and the new subordinate CA certificate will be signed by one of the existing subordinate CA 
> certificate.
> In this case extra care has to be taken to ensure that when we revoke a particular subordinate CA certificate, we should not revoke the last one that is inheriting trust from the existing rootCA certificate. If a revocation breaks the chain of trust from the existing rootCA certificate, then the rootCA certificate has to be revoked.
> When we have an externally configured rootCA certificate:
> the system should use that to sign the new subordinate CA certificate.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org