is there a possibility to create a 2-Tier PKI with multiple CA's for redundancy?
The scenario would if, if CA1 becomes unavailable, CA2 could be used to verify certificates and/or the complete certificate chain.
Asked
Active
Viewed 22 times
1
-
Look into the cross-signed certificates and why they are used. This link will be helpful: https://security.stackexchange.com/questions/14043/what-is-the-use-of-cross-signing-certificates-in-x-509 – saurabh Oct 07 '22 at 07:38
-
This looks good. If you post is as an answer, I can mark it as resolution – Rage Oct 07 '22 at 08:11
-
Don't know why the question is closed. The referenced answer does not seem to be very specific to the question asked, i.e. What if one of the CA is unavailable? Although it indirectly answers the question but still not specific to this question. Cross-Signed cert is one way to answer it, but does not cover all the use cases. – saurabh Oct 07 '22 at 10:00
-
What does 'unavailable' mean? If you simply mean offline or temporarily down, that has no effect on cert validation, because cert validation doesn't require communicating with the CA. It does, usually, involve either a CRL, which can have been issued days or months earlier, or an OCSP responder, which _can_ be the CA but can instead be delegated or even entirely separate. Only if the cert of a CA (e.g. CA1) is _expired_ or _revoked_ does it affect validation, and in the former case a different cert for the same CA _and key_ could be used but not a cert for a different CA. – dave_thompson_085 Oct 08 '22 at 01:11