Reputation: 4066
How to correctly distribute root-CA's?
Lets say I have a signing-CA
I want to distribute the signing-CA PEM to my clients
What is best practice for distributing the PEM?
- Just allow publicly to be downloaded?
- Just for signed in users?
- Any other mechanism?
Seems to be that providing a public or at least restricted download link is totally sufficient. Is that correct or am I missing something?
Upvotes: 2
Views: 1410
Answers (1)
Reputation: 33098
There's no secret to a certificate, they're routinely published to unauthenticated HTTP (not S, though you can do both) as part of Authority Information Access chaining.
If you're a self-signed/root CA there's a trust bootstrapping problem, where your users have to take it on faith that you are you (and that they don't get the wrong cert from the Man in the Middle). An HTTPS endpoint helps with that; as does embedding the certificate in an Authenticode-or-otherwise-signed client tool.
Upvotes: 4
Related Questions
- How to ensure we're getting the topmost Root CA certificate from a chain?
- Correct way to import root and intermediate certificates in Java cacerts
- Can I create a chain of certificates from Root CA
- How to structure a CA directory for usage with OpenSSL?
- How to chain a SSL server certificate with the intermediate and root CA certificates?
- I have setup my own ca root certificate
- x509 (server) cert signed by multiple CAs?
- How does it work: Found one SSL certificate two different chains and two different root CAs
- How to create X509 root certificate and distribute subordinate certificates
- self-signed certificate issue