Re: PKINIT - hash for CA key

[Daniel Kouril <kouril@ics.muni.cz>]

On Tue, Oct 22, 2002 at 09:12:05AM -0400, STEWARD, Curtis (Jamestown) wrote:
> Thanks!  I should have caught that, the subject
> didn't have the domain in the server cert.  As
> far as hashing I'm not sure what you mean't by 
> intermediate cert, but I had a CA(hashed), 
> Server (Non-hashed), and User (Non-hashed) 
> certs and I got my ticket.

For example you can have a certificate chain consisting of multiple
certificates (e.g. user certificate signed with "Organization CA cert", which
is signed with "Master CA"). This chain may contain quite lots of
certificates. The certificates contained inside the chain (except the
first (Master CA) and last one (user's cert)) are called intermediate.  In
your case there's no intermediate certificate in youir chain, thus it's
certainly sufficient to include only hash of your CA.

Regarding intermediate CA certificates in general, I think it's not needed to
have their hashes in the CA directory. Since the PKINIT sends the whole
certification chain, it should be sufficient to have only the root CA
certificate included in local directory. Remaining certs in the chain can be
verified by means of previous certificates in the chain. It's how Openssl
routines work, however I didn't try it personally.

cheers

--
Dan