Private Root CAs Are Disabled
Rule Details
Parameter |
Description |
---|---|
Rule Name |
pca-certificate-authority-root-disable |
Identifier |
Private Root CAs Are Disabled |
Description |
If private root CAs are enabled, this rule is non-compliant. |
Tag |
pca |
Trigger Type |
Configuration change |
Filter Type |
pca.ca |
Rule Parameters |
None |
Application Scenarios
Disabling root CAs and designing a proper private CA hierarchy has the following benefits:
- Core of the trust chain: The private key of a root CA is the foundation of the entire trust chain. If the private key is disclosed, attackers can issue any certificate, causing the entire trust system to collapse.
- Less key disclosure possibility: Disabling root CAs and using them only to issue sub-CAs minimizes the use frequency of root CA private keys and reduces the risk of disclosure.
- Risk isolation: Sub-CAs can be divided by department, service, or environment (such as development, testing, and production). If the private key of a sub-CA is disclosed, other sub-CAs or the root CA are not affected. If a sub-CA's private key is exposed, the sub-CA and its issued certificates can be quickly revoked without impacting the root CA or other sub-CAs.
- Fine-grained permission control: You can set different issuance policies and permissions for sub-CAs to meet different service requirements.
Solution
Disable the root CA. For details, see Disabling a Private CA.
Rule Logic
- If a private CA is a root CA and enabled, this private CA is non-compliant.
- If a private CA is a root CA and is disabled, this private CA is compliant.
- If a private CA is not a root CA, this private CA is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot