Hello All
Can someone please help me with the following question please (thanks in advance)
I read the following (from another post on this forum regarding Policy CAs)
---------------------
The role of a policy CA is to describe the policies and procedures that an organization implements to secure its PKI, the processes that validate the identity of certificate holders, and the processes that enforce the procedures that manage certificates.
A policy CA issues certificates only to other CAs. The CAs that receive these certificates must uphold and enforce the policies that the policy CA defined.
It is not mandatory to use policy CAs unless different divisions, sectors, or locations of your organization require different issuance policies and procedures. However, if your organization requires different issuance policies and procedures, you must add
policy CAs to the hierarchy to define each unique policy. For example, an organization can implement one policy CA for all certificates that it issues internally to employees and another policy CA for all certificates that it issues to non-employees.
---------------------
Now the statement above
The role of a policy CA is to describe the policies and procedures that an organization implements to secure its PKI
To me that sounds like the CPS?
My understanding is the CPS is simply a document (normally a text file) which can be access via a URL (e.g. HTTP) in the same manner as a CRL. If that is the case is the location of the CPS detailed in a known extension like the CPD extension?
Also
How do you 'enforce' the Policy as detailed by the Policy CA, for example
Lets say we have three level PKI, Root > Policy CA (only issued cert to issuing CA) > Issuing CA
Now as far as I am aware with an Enterprise AD joined CA (issuing CA) requesting and obtaining certificates is controlled by Templates and these Templates are controlled by Security ACL (AD security) detailing who can Read, Enroll, Auto-Enroll for a certificate (e.g. WEB Server) based on these templates.
If the above is correct where does the Policy CA come in, in as much as 'enforcing a given policy' for example lets say the Policy CA states any certs issued by me to Issuing CA's these Issuing CA can only allow the WEB Server template. What is to stop an Admin giving Read, and Enroll permissions for the Code Signing template, and thereby issuing Code Signing certs from the Issuing CA.
Are the Policies setup on the Policy CA (I assume you somehow setup Policies hence the name?) related to EKU, for example when the Policy CA issues a CA Cert (basic constraints) to the Issuing CA, does the Policy CA set certain EKU (which I understand are known OIDs) in the CA cert it issues to the Issuing CA, some how preventing the Issuing CA from issuing a Code Signing Cert for example?
Any advice most welcome as I would really like to understand the machanics of the above
Thanks All in advance
AAnotherUser__
AAnotherUser__