[CLUE-Tech] signing CA private key with another CA?

[Jim Ockers]

Dave,

> I don't think private keys get signed.  When you sign a public key, the 
> result is a certificate.  Seems that you already know how to do that.
> 
> There isn't any point to signing a private key.  You have one, it is 
> only ever used by you.  If anyone else gets it, it is no good.

The point to signing a private key would be so that the signature would
carry forward onto public keys signed with that private key.

Take a look at this document from Verisign:

http://www.verisign.com/repository/hierarchy/hierarchy.pdf

As you can see the main primary certificate authority certificates
(public keys) are self-signed, using the associated private key of
course.  These public keys are generally found in commonly used web
browsers and other SSL client software.

As you can also see, there are many other certificate authority
delegations (public/private key pairs) in the Verisign hierarchy.
Since the web browsers probably don't have all of the other
certificate authority certificates (public keys) in their certificate
stores, the only way for Verisign to delegate the authority of
their private key to other certificate authorities would be to
sign the delegated-CA private key.  Right?

> OTOH, public keys are signed to form a certificate as a way to connect 
> an identity (like your server name) to the public key.

Yes.

> All you should need to do is issue a certificate for the new CA signed 
> by the old CA.  Then use the new CA to issue certificates for other 
> things.  Browsers et. al. will follow the chain of signatures to the top 
> (the old CA) and all will be well.

If I did this, the new CA certificate (public key) would then have the
signature of the old CA's private key.  However, when the new CA issues
certificates (signs other public keys), the signature on its public key
has nothing to do with it.

My objective was to try to figure out a way to issue certificates with
the new CA private key without having to update all of the web browsers
and client software with the new CA's public key.  Even if the new CA's
public key has the "right" signature on it, how would any old web
browser know about that since the new CA's "public key" is not loaded
in the web browser?

> It seems to be a good idea to use your root CA certificate to sign only 
> other CA certificates (that are used to sign user/server certs).  It's 
> been a while since I looked at the PKI details to remember all the reasons.

The only way I could think of to delegate the authority of the CA was
to sign the private key of the new CA using the private key of the old
CA.  I'm pretty sure this is how Verisign does it.  Do you still
disagree?

Thanks,
Jim

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/