Standalone Subsystems Use Cases - dogtagpki/pki GitHub Wiki

Case I: Stand-alone KRA

  • A PKI deployment should be able to setup a KRA without the need to have a CA.

  • This stand-alone KRA should not be expected to communicate with any other PKI subsystem (with the possible exception of any KRAs that have been cloned from this stand-alone KRA).

  • This stand-alone KRA should host its own security domain.

  • This stand-alone KRA will require five PKI subsystem certificates to be signed and issued by a single External CA:

    • Transport Certificate

    • Storage Certificate

    • SSL Server Certificate

    • Subsystem Certificate

    • Audit Log Signing Certificate

  • Additionally, for administration purposes, this KRA will require an Administration Certificate to be signed and issued by the same External CA that signed its other five certificates.

  • This stand-alone KRA should be able to be cloned.

  • Each KRA clone will be limited to use the master KRA security domain.

Case II: KRA Cloned from Stand-alone KRA

  • A PKI deployment should be able to clone a KRA from a fully configured stand-alone KRA.

  • This cloned KRA should not be expected to communicate with any other PKI subsystem other than the master stand-alone KRA from which it was cloned.

  • This cloned KRA must use the master stand-alone KRA as its security domain.

  • This cloned KRA will require one PKI subsystem certificate to be signed and issued by the same External CA that was utilized by the master stand-alone KRA:

    • SSL Server Certificate

Note
For administration purposes, this cloned KRA will utilize the Administration Certificate that was signed and issued for the KRA master.

Case III: Stand-alone OCSP

  • A PKI deployment should be able to setup an OCSP without the need to have a CA.

  • This stand-alone OCSP should not be expected to communicate with any other PKI subsystem (with the possible exception of any OCSPs that have been cloned from this stand-alone OCSP).

  • This stand-alone OCSP should host its own security domain.

  • This stand-alone OCSP will require four PKI subsystem certificates to be signed and issued by a single External CA:

    • OCSP Signing Certificate

    • SSL Server Certificate

    • Subsystem Certificate

    • Audit Log Signing Certificate

  • Additionally, for administration purposes, this OCSP will require an Administration Certificate to be signed and issued by the same External CA that signed its other four certificates.

  • This stand-alone OCSP should be able to be cloned.

  • Each OCSP clone will be limited to use the master OCSP security domain.

Case IV: OCSP Cloned from Stand-alone OCSP

  • A PKI deployment should be able to clone an OCSP from a fully configured stand-alone OCSP.

  • This cloned OCSP should not be expected to communicate with any other PKI subsystem other than the master stand-alone OCSP from which it was cloned.

  • This cloned OCSP must use the master stand-alone OCSP as its security domain.

  • This cloned OCSP will require one PKI subsystem certificate to be signed and issued by the same External CA that was utilized by the master stand-alone OCSP:

    • SSL Server Certificate

Note
For administration purposes, this cloned OCSP will utilize the Administration Certificate that was signed and issued for the OCSP master.
⚠️ **GitHub.com Fallback** ⚠️