#1337 Support sub-CA OCSP signing delegation
Closed: migrated 3 years ago by dmoluguw. Opened 8 years ago by ftweedal.

In the initial implementation, lightweight sub-CAs sign OCSP
responses with the CA signing certificate.

It should be possible to configure (at creation time) a lightweight
sub-CA to delegate OCSP signing to a dedicated, subordinate OCSP
signing certificate. This will involve:

  • update API and CLI to have option to specify whether OCSP delegation
    should be used, and register the choice with the subCA config.

  • generating an additional keypair for OCSP signing and ensure the private
    key is replicated among replica

  • create request and sign the OCSP signing certificate

  • update OCSP responder and/or CertificateAuthority class to, for subCAs using
    OCSP delegation, instantiate a SigningUnit for OCSP and use it when signing
    OCSP requests.


Metadata Update from @ftweedal:
- Issue set to the milestone: UNTRIAGED

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1899

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata