The EnrollProfile class is responsible for populating certificate information. Modifications needed are:

• When creating request objects, store the sub-CA indicator from the profile context in the request data.

• When executing requests, switch the ICertificateAuthority context for enrollment to the sub-CA indicated in the request data (if any).

Update SigningUnit and have its owners supply the nickname configuration, so that there can be multiple SigningUnit instances using different keys.

Add methods to retrieve a sub-CAs given a String sub-CA reference or an ordered List<String> of individual sub-CA handles.

Update construction and initialisation to give the instance awareness of its position in the CA heirarchy, and to initialise the CertificateRepository, SigningUnit instances to the correct DNs, nicknames, etc.

The ''Authority Key Identifier'' extension must identify the immediate signing authority, which could be a sub-CA. Accordingly, the authority ID is read from the request data and used to query the host CA for the corresponding lightweight CA, whose identifier shall be included in the extension.

Servlets and web templates (HTML, javascript) will be update to recognise and propagate the authorityId request parameter, which indicates a lightweight CA. If the parameter is absent or empty, the host CA is implied.

Care must be taken in JavaScript code to ensure that null values for the authorityId parameter do not result in a literal string value of "null". This case should be handle by either using the empty string or omitting the parameter from the subsequent request.

Where appropriate, web forms shall include a field (e.g. drop-down menu) to select an authority.