Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete Root CA key #53

Closed
budulinek opened this issue Jul 14, 2022 · 3 comments
Closed

Delete Root CA key #53

budulinek opened this issue Jul 14, 2022 · 3 comments
Assignees
@hakwerk

Comments

@budulinek
Copy link

Root CA key should be stored offline, it should be deleted from LabCA once we generate Issuer CA. Suggestion:

  1. Root CA upload: make Root CA key uploading optional (with a hint that Root CA's private key is only needed for Issuer CA generation, it is not stored by LabCA). If Root key is not uploaded, Issuer CA can not be generated (only uploaded).
  2. Root CA generate: after the Root CA generation (before Issuer CA setup), Root CA key is shown to the user (plain text and/or file) with a message, something like "For comprehensive risk reduction, the Root CA's private key should be stored offline. Please copy this Root CA's private key and store it in secure, private and offline location. The Root CA's private key will be deleted from LabCA after Issuer CA generation!"
  3. Issuer CA generate: after Issuer CA generation, Root CA private key is permanently deleted from LabCA.
@hakwerk hakwerk self-assigned this Aug 2, 2022
@hakwerk
Copy link
Owner

hakwerk commented Aug 20, 2022

This would indeed be a good practice, although LabCA should not be used in situations where the Root CA is super critical.

It would also be nice to be able to renew / replace Root and Issuer CA certificates.

@tjmullicani
Copy link

tjmullicani commented Feb 17, 2023
edited
Loading

+1 I want to be able to use LabCA with my offline root CA, without having to expose my offline root private key. Option 1 (Root CA upload) seems like a good fit, especially if LabCA could generate an issuer CA CSR.

@tjmullicani tjmullicani mentioned this issue Feb 18, 2023
Closed
hakwerk added a commit that referenced this issue Jun 8, 2023
@hakwerk
Add ability to keep private Root CA key offline (#53)
9f77d1a 
When generating a new Root CA certificate, show the key in the GUI and ask the user to
store it offline. When importing an existing CA make the root key optional.
When the private key is needed but we don't have it, ask the user to provide it. You
can now also create a CSR for the Issuer CA that can be signed by the offline Root CA.
hakwerk added a commit that referenced this issue Jun 11, 2023
@hakwerk
Add options to trigger CRL generation and upload a Root CRL (#53)
2b81d2d
hakwerk added a commit that referenced this issue Jun 11, 2023
@hakwerk
Prevent posting empty data from manage CRL (#53)
66b5121
@hakwerk hakwerk mentioned this issue Jun 17, 2023
Open
@hakwerk
Copy link
Owner

hakwerk commented Jun 17, 2023

In the latest release (v23.06) it is now possible to keep the Root CA private key offline as requested

@hakwerk hakwerk closed this as completed Jun 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hakwerk hakwerk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@budulinek @tjmullicani @hakwerk