From memory, the root signing certificate is a self signed certificate and is used as the root of trust for any PKI. The root ca server (RA) should never go online and it's purpose is to issue signing certificates for Intermediate Certificate Authorities. These ICAs are used to issue certificates for a variety of purposes including TLS encryption and identification. Many years ago, the Subject of a certificate used for TLS held the FQDN for the associated server. Some older browsers may still expect this behavior. Today the Subject Alternate Name (SAN) attribute in a certificate is much more critical than the Subject name. Distinguished Name is always (as far as I know) a structured value and is used to determine identification of the entity the certificate is issued to. The uniqueness of a certificate is based on ICA + Serial Number.
A good starting point to read about x509 certificates is https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/certificate-concepts/ba-p/395181
If you intend to create your own private PKI service, you will need to add the certificate authority hierarchy (RA and ICAs) to the devices that need to trust that certificate. Even after doing that, there may be some browsers that do not automatically trust a new root CA added to the system's certificate store.
On Mon, May 15, 2023, 9:45 AM Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
this is the first time in decades I have been doing serious PKi design,,,
I am now looking at the various certificates, each with different
keypairs that the CA uses.
It has its base authorization-to-exist cert that SHOULD rarely be used
other than to sign its other certs.
It has a signing cert for signing the certs of all of its subscribers.
It has a CRL signing cert, well for signing any CRLs it generates.
It may have an OSCP signing cert.
...
The question is what to use for subjectName for all of these? What is
the "common" practice. I have been googling and reading docs all
morning and not finding anything on this subject.
Is the practice to use a lower OU level for these certs below the CA's
base cert?
Are they all named the same (unique_subject=no) with only the
subjectKeyIdentifier different and the CA operator 'knowing' which to
use where, but not (necessarily) outsiders to the CA?
Duplicate subjectName, but something like a policy OID to identify which
is for what?
My search foo is weak, and I have to run off to a dr appt and I really
want to get this part settled today.
Sigh. It is always one more hurdle.
thanks for any pointers. I am just not finding something to read that
gives guidance on best practices for this.
