-1

I have an architecture where there is a single root CA and multiple sub-CA's. Each sub-CA publishes certificates for devices in it's "domain". Within each domain is a VPN gateway (Cisco router). I would like to determine if it is possible to devise a configuration where each domain's VPN gateway would be able to check to see if the connecting device's certificate has been revoked at it's domain's sub-CA or another of the other domain's sub-CAs. I'm also looking for the most efficient solution which would require as little configuration as possible when adding new domains.

Thanks!

baltimore_cg
  • 87
  • 5

1 Answers1

0

A CRL or OCSP response has the serial number of the revoked certificate in a list, which is signed by the issuing CA or OCSP responder. This ensures that when I revoke certificate serial no 123456789 on my CA that the certificate with the same serial number but issued by your CA isn't revoked instead. Certificate serial numbers, although long, aren't globally unique.

From a security perspective, the ability to revoke another CA's certificates would just cause mayhem and the consequences would be dire.

The only CA that can revoke a certificate is the one that issued it.

garethTheRed
  • 1,997
  • 13
  • 20
  • Understood, but could a Cisco router be configured to check multiple CRLs or OCSP responders to see if the certificate it'd just been presented has been revoked by any of the sub-CA's? Global serial number uniqueness shouldn't be an issue here as we're only talking about dozens of certificates issued. – baltimore_cg Mar 09 '16 at 02:39
  • Global serial numbers might not be an issue for you, but the protocol is fixed (RFC 5280 - a great bedtime read) and unless you start rewriting a ton of code, you're stuck with it ;-). One thought that crossed my mind was indirect CRLs, but they're not well supported; and I'm not certain they'd help you anyway (more homework would be needed). – garethTheRed Mar 09 '16 at 07:40
  • Your certificates are on network devices, which should be secured - how often do you envisage revoking certs? Chances are, if you look after your network devices, that you'll never need to revoke anyway. It would be a different story if you were looking at smartphone or user certs, which can easily be compromised. Are you looking for a solution to a problem that doesn't exist? Or is there a specific reason you're investigating this. – garethTheRed Mar 09 '16 at 07:43