End entity profile of type Root CA

[TjeuKayim]

Use case: Cross signing one Sub CA as Root CA. The Sub CA is added as EJBCA Authority, while the Root CA is added as EJBCA End Entity, submitting the CRL via an End Entity to the Authority to get a self-signed certificate for the same public key as the Sub CA. This approach works well in ejbca-ce v7.9.0.2, but requires a workaround and seems to depend on behavior that is not documented.

The straightforward way would have been to select a Root CA profile as an available cert profile in the end entity profile. Though it is not possible to select cert profiles of that type as an available cert profile when editing an end entity profile via the web interface, because it is not returned in EndEntityProfileMBean:getAllCertificateProfiles(). Confusingly, CERTPROFILE_FIXED_ROOTCA is added to EndEntityProfile.CONST_AVAILCERTPROFILES2.

Multiple possible workarounds:

1. End entities using the certificate profile of type Sub CA can also be used to issue self-signed (Root CA) certificates. It is not clear if this is intended behavior or not. Those Sub CA cert profiles can easily be selected in end entity profiles via the web interface.

2. And admin users can still set the end entity profile properties Default Certificate Profile
   and Available Certificate Profiles to a Root CA profile in one of the following inelegant ways:

   • Via the web interface:
     1. Create a certificate profile called MyCertProfile of type Sub CA
     2. Create a new end entity profile, and set the default cert profile to MyCertProfile
     3. Edit MyCertProfile and change the type from Sub CA to Root CA
   • Via the import/export feature:
     1. Create a new end entity profile, without modifying the default cert profile
     2. Export the profiles
     3. Alter the XML
     4. Import the profiles

It seems that multiple things here can use extra validation logic. Is this a known issue?

[primetomas]

Correct, you are expected to use a SubCA certificate profile. There is no change per se on CA certificate profiles, the certificate profile does not limit the keys used, or subject and issuerDN. So in general it's no difference between a Root and Sub CA certificate profile. You should configure it as you want the certificate contents to be.

Sematically, I'd claim that a cross-certificate is a sub CA certificate. Assuming that you Sub CA and Root Ca does not share the same subject DN (making them the same CA in practice) the subjectDN and issuerDN are different. In Link certificates the subject and issuer may be the same, typically used to renewal to establish trust in a new key (and hence kind of useless if renewing a CA using the same key).

[TjeuKayim]

Thanks for the explanation and confirming that it's an intended feature how self-signed certificates can be issued with Sub-CA profiles.

Assuming that you Sub CA and Root Ca does not share the same subject DN (making them the same CA in practice)

Yes, that does indeed matter. In my use case, the cross-signed version uses the same DN as the self-signed version. Similar to the relation between https://letsencrypt.org/certs/isrg-root-x2.txt and https://letsencrypt.org/certs/isrg-root-x2-cross-signed.txt

[TjeuKayim]

Update: I now realized I wrongfully called the self-signed version “cross signed” in my original question. I meant:

- Use case: Cross signing one Sub CA as Root CA
+ Use case: Signing an existing Sub CA (cross-signed) as Root CA (self-signed)

[primetomas]

Ok. The typical case is that you start with a Root CA, and get that cross-signed by another Root CA, creating a Sub CA. This is well and easily supported.
But I also think you should be able to just use a SubCA cert profile, as the cert profile does not limit the issuer/subjectDN in any way.