cp-cps icon indicating copy to clipboard operation
cp-cps copied to clipboard
verified publisher icon letsencrypt

Clarify Issuer Distinguished Name value in Certificate Profiles

Open pgporada opened this issue 2 years ago • 0 comments

The Mozilla CA self assessment 6.1.7 Key usage purposes (as per X.509 v3 key usage field) states the following. When looking at our CPS, it's not explicitly clear which certificate profile would be used when determining the Issuer Distinguished Name: Derived from Issuer certificate. This could be made explicit and clear up some confusion that happened during the self assessment.

Private Keys corresponding to Root Certificates MUST NOT be used to sign Certificates except in the following cases:

  1. Self-signed Certificates to represent the Root CA itself;

  2. Certificates for Subordinate CAs and Cross-Certified Subordinate CA Certificates;

  3. Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates); and

  4. Certificates for OCSP Response verification.

An example would be, for a Subordinate CA Certificate, the Issuer Dinstinguished Name data could be changed to Derived from the Root CA Issuer certificate.

pgporada avatar Sep 20 '23 19:09 pgporada