We should have support for intermediate certificates.
Currently that can be done by generating an intermediate, and using a different config file for each intermediate. Not very optimal.
Questions to ask:
- Should intermediates have the same key as the root or not?
- Should a client be allowed to request belonging to a certain intermediate via Subject?
- Should we indicate the intermediate in the subject?
Least visible changes would be to say no to the last two, and server-side assign intermediates to the client. A more visible version would be to change the OU to point at the named intermediate.
Suggested functions to add to the admin tools:
- Create intermediate
- Reject intermediate ( should also reject all signed children)
- List intermediate
- Assign CSR to intermediate (for future signing)
This change will require a new table in the database, and adjustment to models.
We should have support for intermediate certificates.
Currently that can be done by generating an intermediate, and using a different config file for each intermediate. Not very optimal.
Questions to ask:
Least visible changes would be to say no to the last two, and server-side assign intermediates to the client. A more visible version would be to change the OU to point at the named intermediate.
Suggested functions to add to the admin tools:
This change will require a new table in the database, and adjustment to models.