Basically another administrator wants a subordinate CA certificate for their fancy appliance. How do I restrict the subordinate CA certificate issued to them only able to issuing for their usages and not allowing them to issue certificate that are used else where.
Having subordinate CA that is not under control is pretty risky, I need to make sure that the sub CA will not cause damange to the PKI system.
Is there some policy that I could set in the Sub CA for the restriction ?
There are a few options that may help you here, but there's no guaranteed way to stop this:
Depending on your infrastructure, you may be able to use Name Constraints to limit your other administrator's CA to a specific subdomain or to a specific Distinguished Name arc. Whether that helps you or not, depends on your specific circumstances. For example, if your colleague's application is running within their own specific DNS subdomain, you could limit the new CA to this.
Certificate Policies may help you, but only if all clients can be mandated to check them. This is not the case with the most common certificate usage - HTTPS; so again, depending on your circumstances, this may or may not be useful. You would have to ensure that you're colleague's application clients check policies and also ensure that their developers don't disable it - this relies on you trusting the team.
Finally, and most importantly, PKI works only because all the CAs follow strict policies and procedures. Without these, it is simply a clever mathematical conundrum. Trust is only gained by ensuring that all participants play by the rules and follow your strict policies. If any CA fails to play by the rules, they risk having their CA certificate revoked by the a superior CA - I'm assuming that is you here. This is probably your best option. Show your colleague your Certificate Policy document; ensure they understand them and write a Certification Practice Statement to that effect and hold them to task if they don't play by the rules. If you don't trust them, don't issue them a CA certificate - it's your PKI's reputation on the line.
You can't prevent a subordinate CA from signing whatever they want if they control the private key. However, if you control all the client applications, you can restrict what the client accepts from a subordinate CA, so that if the sub signed something they aren't authorised to sign for, the client application would just reject such certificate as invalid.
In this sense the subordinate CA can be designed to act like an attribute authority. For this to work, you must control the client applications as well to make sure that they enforce the subordinate restrictions.
I know I cant control what certificate they going to issue after they are given a subca permission. Let say they are using it for application A, I just want to restrict something like if they issue it for application B, it will show some error or warning or not even trusted chain
– newbieprogrammer Sep 06 '19 at 05:15