Clarify that CAs can generate their own keys
timfromdigicert opened this issue · 3 comments
This one has come up a few times in the Validation Subcommittee of the CA/Browser Forum, and came up again in a side discussion today.
Mozilla policy currently contains the following:
"CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage."
This can be read as prohibiting key generation for certificates that CAs issue to themselves, which I don't believe was the intent.
I think it's pretty simple to fix ... for example:
"CAs MUST NOT generate the key pairs for end-entity certificates that have an EKU extension containing the KeyPurposeIds id-kp-serverAuth or anyExtendedKeyUsage, unless the certificate is being issued to the CA itself."
There are probably lots of other ways to fix it. Also, using CA organization here would be a slight improvement over the bare term "CA", which is somewhat ambiguous.
The reason I didn't use the term "end entity certificate" is that this happens at a point in time where there is no certificate yet. In fact, I probably should have said Applicant instead of Subscriber. Fixed.
Resolved in version 2.8