Re: [Pki-users] CErtificate profile validation
Thanks, Arshad. Is there some way to enforce the CA to cross-check the
CSR against the profile when the RA is also present? Or is this
automatically enabled?
I must have missed something when I set the cert preofile... When I
tried this, it seemed as if the CA was not verifying correctness of the
issued certificate against the cert profile. It seemed to be just adding
its signature. Also it added the Authority Key Indentifier but not the
subject key identifier (as per RFC 5280 it looks the CA adds this field)
- though both were mentioned in the profile.
>-----Original Message-----
>From: Arshad Noor [mailto:arshad.noor@strongauth.com]
>Sent: Monday, March 22, 2010 11:43 AM
>To: Thomas Shanthi-LST016
>Cc: pki-users(a)redhat.com
>Subject: Re: [Pki-users] CErtificate profile validation
>
>Technically, it can occur at either or both locations.
>However, from a business and operational point-of-view, most
>PKIs do the verification at the RA. This is because it
>allows different RA's to use different policies, procedures
>and tools to do the key-generation, verification, etc.,
>before sending the verified CSR to the CA for signing.
>
>From an operational point of view, having RAs do the
>verification allows you to scale a CA to sign more
>certificates in a given unit of time if it only had to sign
>certificates and CRLs instead of verifying and signing.
>
>Yes, the CA can indeed add all the required
>constraints/extensions as needed to the certificate based on
>the profile, before it signs the CSR.
>
>Arshad Noor
>StrongAuth, Inc.
>
>----- Original Message -----
>From: "Thomas Shanthi-LST016" <Shanthi.Thomas(a)motorola.com>
>To: pki-users(a)redhat.com
>Sent: Monday, March 22, 2010 9:00:59 AM (GMT-0800) America/Los_Angeles
>Subject: [Pki-users] CErtificate profile validation
>
>_______________________________________________
>Pki-users mailing list
>Pki-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/pki-users
>
>