[Pki-users] CErtificate profile validation

Thomas Shanthi-LST016 Shanthi.Thomas at motorola.com
Mon Mar 22 16:48:28 UTC 2010 

Thanks, Arshad. Is there some way to enforce the CA to cross-check the
CSR against the profile when the RA is also present? Or is this
automatically enabled?

I must have missed something when I set the cert preofile... When I
tried this, it seemed as if the CA was not verifying correctness of the
issued certificate against the cert profile. It seemed to be just adding
its signature. Also it added the Authority Key Indentifier but not the
subject key identifier (as per RFC 5280 it looks the CA adds this field)
- though both were mentioned in the profile. 

>>-----Original Message-----
>>From: Arshad Noor [mailto:arshad.noor at strongauth.com] 
>>Sent: Monday, March 22, 2010 11:43 AM
>>To: Thomas Shanthi-LST016
>>Cc: pki-users at redhat.com
>>Subject: Re: [Pki-users] CErtificate profile validation
>>
>>Technically, it can occur at either or both locations.  
>>However, from a business and operational point-of-view, most 
>>PKIs do the verification at the RA.  This is because it 
>>allows different RA's to use different policies, procedures 
>>and tools to do the key-generation, verification, etc., 
>>before sending the verified CSR to the CA for signing.  
>>
>>From an operational point of view, having RAs do the 
>>verification allows you to scale a CA to sign more 
>>certificates in a given unit of time if it only had to sign 
>>certificates and CRLs instead of verifying and signing.
>>
>>Yes, the CA can indeed add all the required 
>>constraints/extensions as needed to the certificate based on 
>>the profile, before it signs the CSR.
>>
>>Arshad Noor
>>StrongAuth, Inc.
>>
>>----- Original Message -----
>>From: "Thomas Shanthi-LST016" <Shanthi.Thomas at motorola.com>
>>To: pki-users at redhat.com
>>Sent: Monday, March 22, 2010 9:00:59 AM (GMT-0800) America/Los_Angeles
>>Subject: [Pki-users] CErtificate profile validation
>>
>>_______________________________________________
>>Pki-users mailing list
>>Pki-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/pki-users
>>
>>

More information about the Pki-users mailing list