3

I am currently designing a private PKI for my family and some close friends for use in E-Mail, VPN, file sharing etc. The PKI will be 3-tiered:

Root CA -> Policy Authority -> Issuing Authority -> Enduser

I want to restrict the usage of certificates to certain use cases by using the keyUsage and extendedKeyUsage fields. I.e. our web servers' certificates should have the following extensions set:

keyUsage=digitalSignature,keyEncipherment,keyAgreement,nonRepudation
extendedKeyUsage=TLS Web Server Authentication

These certificates will be issued by the "Web Server Issuing CA". It is not under my direct supervision, but I'd like to enforce that exactly those keyUsage and extendedKeyUsage fields must be present and more importantly, I do not want the Webserver Issuing CA to issue certificates for E-Mail etc.

Cyclonit
  • 45
  • 3
  • Just a side note to future googlers: there is a V3 extension nameConstraints. It cannot enforce proper keyUsage fields as asked in the question, but it can somewhat limit the range of the valid certificates issued by Issuing Authority. – simon Dec 12 '21 at 17:38

1 Answers1

2

To my knowledge, you cannot enforce this - key usage doesn't cascade down. If you want control, you should audit the issuing log of the Webserver Issuing CA.

Konrads
  • 599
  • 1
  • 5
  • 15
  • But is there any way of preventing the Issuing CA from tampering with its logs? In the event of one of them being compromised and being used to issue certificates for a use case outside of their organizational unit, could the attacker not simply alter the logs? – Cyclonit Mar 29 '16 at 08:48
  • Not via PKI means. Once you have granted a sub-CA its licence to mint certificates, technically it can do whatever it wants. You then need additional technical controls in place, like secure logs (remote and/or hash-chained + signed), protect the sub-CA's keys and so on. Sticky business – Konrads Mar 29 '16 at 09:48
  • Just as a note for future googlers: This means that certificate authority may do a lot of damage. Auditing logs does not prevent the CA from issuing "faulty" certificates, you merely detect it. Revoking certificates is a whole other mess by itself. – Cyclonit Apr 03 '16 at 17:07