0

According to the way I read the literature, a two-tier PKI heirarchy with an offline root CA provides redundancy and an extra layer of security in case your subordinate CA's private key gets compromised. But how does this work?

Let's say I have an offline root CA and use it to sign a subordinate CA, and then use the subordinate CA to sign an internal web server. Now let's say the subordinate CA's key gets compromised. No problem according to the literature. You just burn your subordinate and build a new one. Then you fire up the root CA and sign the new subordinate, and you're back in business.

The problem is that the web server was signed with a now invalid subordinate CA certificate, and the chain of trust is broken. So would I need to also re-sign the web server with the new subordinate's key? If I have to re-sign everything with the new subordinate, then what is the purpose of having the offline root CA in the first place?

Clearly I'm not understanding something here.

Wes Sayeed
  • 1,902
  • 6
  • 28
  • 43

2 Answers2

3

The clients trust the root CA, not the subordinate CA. If the subordinate CA is compromised, you only have to switch it. You don't have to replace the root CA on all clients, because it is still safe.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • If they trust the root, not the subordinate, then why would I care that the subordinate's key got compromised? How would it stop an attacker from signing malicious code with my root CA? In other words, how do clients tell the difference between a cert issued by a new server vs. the old, compromised one? – Wes Sayeed Aug 02 '17 at 09:01
  • This is answered quite thoroughly here: https://security.stackexchange.com/questions/34043/what-does-having-an-internal-two-tier-pki-protect-against/34457#34457 – Gerald Schneider Aug 02 '17 at 09:47
0

The root CA is trusted by your clients and tells your clients to trust the subordinate CA. Your clients look at a revocation list when verifying a certificate. If your CA is compromised your clients will continue to trust any certificate issued by that CA, including malicious ones. If it was a subordinate then you can issue a revocation by your Root CA so that clients will no longer trust the certificates. If a root CA is compromised you will have to find another method to tell your clients not to trust the certificates.

Mike Wallace
  • 1