000025680 - How to revoke Online CA from Offline CA on separate KCA installations.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025680
Applies ToKeon Certificate Authority
Offline CA and Online CA are hosted on separate KCA installations.
IssueHow to revoke Online CA from Offline CA on separate KCA installations.
CauseWhen an Offline Certificate Authority is used to sign an Online Certificate Authority, it does not keep a record, or local reference, of the Online CA. For this reason it is not possible for the Offline CA to revoke the Online CA and issue a Certificate Revocation List with the revoked Online CA signer in it. This is true for all versions of KCA up to and including 5.7.       
ResolutionThis is not possible in KCA. A Request For Enhancement has been raised for this issue under number tst00021481.

Note: this is true only where the Online and Offline CA's are held on separate KCA installations. The Offline CA is quite capable of revoking an Online CA and issuing a correct Certificate Revocation List when both CAs are on the same KCA installation.
Legacy Article IDa4968

Attachments

    Outcomes