16.5. Using Cross-Pair Certificates
In the late 1990s, as the US government began enhancing its public key infrastructure, it became apparent that branches of government with their own, separate PKI deployments still needed to be able to recognize and trust each others certificates as if the certificates were issued from their own CA. (The method of getting certificates trusted outside a network for external clients to use is a serious, not easily resolved issue for any PKI administrator.)
The US government devised a standard for issuing cross-pair certificates called the Federal Bridge Certificate Authority. These certificates are also called bridge certificates, for obvious reasons. Bridge or cross-pair certificates are CA signing certificate that are framed as dual certificate pairs, similar to encryption and signing certificate pairs for users, only each certificate in the pair is issued by a different CA. Both partner CAs store the other CA signing certificate in its database, so all of the certificates issued within the other PKI are trusted and recognized.
Bridging certificates honors certificates issued by a CA that is not chained to the root CA in its own PKI. By establishing a trust between the Certificate System CA and another CA through a cross-pair CA certificate, the cross-pair certificate can be downloaded and used to trust the certificates issued by the other CA, just as downloading and installing a single CA certificate trusts all certificates issued by the CA.
The Certificate System can issue, import, and publish cross-pair CA certificates. A special profile must be created for issuing cross-pair certificates, and then the certificates can be requested and installed for the CA using the Certificate Wizard for the CA subsystem.
For more information on creating cross-pair certificate profiles, see Configuring Cross-Pair profiles.
For more information on publishing cross-pair certificates, see Section 8.9, “Publishing Cross-Pair Certificates”.
16.5.1. Installing Cross-Pair Certificates
Both cross-pair certificates can be imported into the Certificate System databases using the
certutil
tool or by selecting the Cross-Pair Certificates option from the Certificate Setup Wizard, as described in Section 16.6.1, “Installing Certificates in the Certificate System Database”.
When both certificates have been imported into the database, a
crossCertificatePair
entry is formed and stored in the database. The original individual cross-pair CA certificates are deleted once the crossCertificatePair
entry is created.
16.5.2. Searching for Cross-Pair Certificates
Both CAs in bridge certificates can store or publish the cross-pair certificates as a
crossCertificatePair
entry in an LDAP database. The Certificate Manager's internal database can be searched for the crossCertificatePair
entry with ldapsearch
.
/usr/lib[64]/mozldap/ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "o=server.example.com-pki-ca" -s sub "(crossCertificatePair=*)"