certificatessl-certificatex509certificatedigicert

Can I create a chain of certificates from Root CA

This may sound like a stupid question, but it is the first time I'm researching on this topic. Is it possible to create a chain of certificates.

So currently we have this structure:

Root CA --> Intermediate CA --> Issues certificates

This is the structure we would want:

Root CA --> Intermediate CA --> Another Intermediate CA --> Issue certs
                            --> Another Intermediate CA --> Issue certs
                            --> Another Intermediate CA --> Issue certs

I have done a little research but I can't find out that whether this chaining structure is possible.

We want to have a Root CA at then an intermediate for a division and then other intermediates for projects within the division. It will help compartmentalize any damage if done.

Solution

  • CA hierarchy organization is similar to folder organization with its specific rules. Every extra CA increases management costs. Every new tier increases certificate chain validation time. So you need to keep as minimum CAs and as shorter chains as it is reasonable to keep.

    Minimum recommended configuration is two-tier:

    Root CA --> Policy/Issuing CA --> End Entities

    Root CA should be offline, not connected to any network, utilize HSM and kept in a secure room. The loss/compromise of root CA leads to entire PKI crash without any chance to revoke it. This is why root CA is usually issuing certificates only to other CAs, not to end entities. Most of time it is turned off and is turned on only during certificate renewal and CRL publication.

    Policy/Issuing CA is built below root and works directly with end entities (certificate consumers or subscribers). Logically it is installed close to most clients. It is enabled and operates 24/7. Physical security is the same as to Root CA: secure room, HSM (individual or net-hsm), strict physical access to device. The compromise of issuing CA is still bad, but recoverable. At least, only part of PKI is compromised (particular chain) and you can revoke compromised CA certificate without having to replace root everywhere.

    If you need separate CA for divisions, do it:

    Root CA --> Policy/Issuing CA 1 --> End Entities
        --> Policy/Issuing CA 2 --> End Entities
        --> Policy/Issuing CA 3 --> End Entities

    There is nothing wrong with such configuration.