Hello,
we are considering the case where a third party, not owning any of the SRK keys already generated for the HABv4 PKI tree , should generate its own IMG keypair , asks us to sign the public part or certificate by one of the 4 SRK private keys ( we can't give them any SRK private keys ), and then we return the signed IMG public key certificate to them.
In the end we can't give them the SRK private key, and we can't know their IMG private key.
How should we sign the IMG additional key ( public, certificate ) ? Should they send us the CSR ( Certificate Signing Request ) ?
I can see on the add_key.sh script that actual signing is involved when generating the certificate :
# Generate certificate
openssl ca -batch -passin file:./key_pass.txt \
-md ${md} -outdir ./ \
-in ./${key_fullname}_req.pem \
-cert ${signing_crt} \
-keyfile ${signing_key} \
-extfile ../ca/v3_${ca}.cnf \
-out ../crts/${key_fullname}_crt.pem \
-days ${val_period} \
-config ../ca/openssl.cnf
how is best to proceed when third party doesn't want us to see their private key and we can't give them SRK private key ? Should they send us CSR request or are there any other option to directly sign X509 certificate that includes only the public key ?
Of course at the final step of the process we'd give the SRK binary map ( public ) so that they can sign the final content by using their private IMG key an CST tool.
thank you
