Cross-Pair Certificates; Ca Hierarchy - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Cross-Pair Certificates

cn=demoCA, o=Example Corporation, ou=Engineering, c=US
Many combinations of name-value pairs are possible for the Certificate Manager's DN. The DN must
be unique and readily identifiable, since any end entity can examine it.
4.2.4.2. CA Signing Certificate Validity Period
Every certificate, including a Certificate Manager signing certificate, must have a validity period. The
Certificate System does not restrict the validity period that can be specified. Set as long a validity
period as possible, depending on the requirements for the place of the CA in the certificate hierarchy
and the requirements of any public CAs that are included in the PKI.
A Certificate Manager cannot issue a certificate that has a validity period longer than the validity period
of its CA signing certificate. If a request is made for a period longer than the CA certificate's validity
period, the requested validity date is ignored and the CA signing certificate validity period is used.
4.2.4.3. Signing Key Type and Length
Longer keys are considered cryptographically stronger than shorter keys. However, longer keys
require more time for signing operations.
The default RSA key length in the configuration wizard is 2048 bits; for certificates that provide access
to highly sensitive data or services, consider increasing the length to 4096 bits.
4.2.4.4. Serial Number Ranges for the CA
The starting and ending serial numbers that a CA can issue can be set in the Certificate System
Console. This is useful when installing cloned CAs; each cloned CA is given a specific range of serial
numbers that it can issue so that none of the cloned CAs can issue the same serial number.
The serial number range is not set during installation or configuration of the subsystem but can be
configured through the Certificate System Console by an administrator.
4.2.5. Cross-Pair Certificates
The Certificate System can issue, import, and publish cross-pair CA certificates. With cross-pair
certificates, one CA signs and issues a cross-pair certificate to a second CA, and the second CA signs
and issues a cross-pair certificate to the first CA. Both CAs then store or publish both certificates as a
crossCertificatePair entry.
Bridging certificates can be done to honor certificates issued by a CA that is not chained to the root
CA. By establishing a trust between the Certificate System CA and another CA through a cross-pair
CA certificate, the cross-pair certificate can be downloaded and used to trust the certificates issued by
the other CA.
Chapter 10, Managing Certificates.
For more information on using cross-pair certificates, see

4.3. CA Hierarchy

When there are multiple CAs in a PKI, the CAs are structured in a hierarchy or chain. The CA above
another CA in a chain is called an root CA; a CA below another CA in the chain is called a subordinate
CA. A CA can also be subordinate to a root outside of the Certificate System deployment; for example,
105