How to add my private CA to test logs?

[Dinesh Prasanth Moluguwan Krishnamoorthy]

Hello everyone,

I started experimenting with Certificate transparency and trying to hit various API end points. Now, I would like to experiment with `add-chain` and `add-pre-chain`. Since these require certs signed by a root CA already added to the log servers, I was planning to set one private CA and add it to test logs.

I was reading the requirements of the private CA here and I was confused by the term "not allow real certificates to chain to it". Is it possible for CA to be configured in such a way? Can someone explain this requirement in simple words?

Regards,

Dinesh

[al...@alexcohn.com]

My understanding of the “real certificates” requirement is that you cannot issue a cross-certificate from your test root CA to a publicly-trusted CA. I’m can’t speak for log operators, but if I had to guess, the intent behind this rule is to limit the number of certificates eligible to be logged in the test logs. Presumably test logs are operated in a cheaper and less-redundant fashion than the production logs, and therefore might not be designed to take the load production logs bear (both in terms of the CPU for sequencing new submissions and the disk space to store the resultant entries). 

Perhaps a log operator will chime in to confirm or refute my wild speculation. The best way to find out the right answer is often to propose the wrong one. :)

Alex

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/b1e2dd52-a4be-4d6f-a4c1-281ce80c6f97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mirro]

Hi, guys

The “real certificates” requirement, in my opinion, means that the root CA certificate or the intermediate CA certificate can not be used to issued a valid certificate to your subscribers. It can be only used to issue test certificate.

Thanks,

Mirro

在 2019年5月23日星期四 UTC+8下午11:44:40，Alex Cohn写道：

My understanding of the “real certificates” requirement is that you cannot issue a cross-certificate from your test root CA to a publicly-trusted CA. I’m can’t speak for log operators, but if I had to guess, the intent behind this rule is to limit the number of certificates eligible to be logged in the test logs. Presumably test logs are operated in a cheaper and less-redundant fashion than the production logs, and therefore might not be designed to take the load production logs bear (both in terms of the CPU for sequencing new submissions and the disk space to store the resultant entries). 

Perhaps a log operator will chime in to confirm or refute my wild speculation. The best way to find out the right answer is often to propose the wrong one. :)

Alex

On May 23, 2019, at 10:17, Dinesh Prasanth Moluguwan Krishnamoorthy <mkdinesh...@gmail.com> wrote:

Hello everyone,

I started experimenting with Certificate transparency and trying to hit various API end points. Now, I would like to experiment with `add-chain` and `add-pre-chain`. Since these require certs signed by a root CA already added to the log servers, I was planning to set one private CA and add it to test logs.

I was reading the requirements of the private CA here and I was confused by the term "not allow real certificates to chain to it". Is it possible for CA to be configured in such a way? Can someone explain this requirement in simple words?

Regards,

Dinesh

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.

To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

[Martin Smith]

Hi,

For personal testing this doesn't apply as you don't issue certificates that are trusted by browsers.

There are multiple reasons really. Load could be an issue depending on how logs are deployed and resources to run them are not free. It's also to prevent confusion as it makes it clear to anyone adding a root certificate that it is test only. It's also generally a good idea to separate test data from live data.

Martin

To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/A33CE8E8-5911-4932-904C-FD9A39E5C83E%40alexcohn.com.