Author: Mike Hearn 2013-04-25 10:05:06
Published on: 2013-04-25T10:05:06+00:00
It appears that the original statement about chaining a custom certificate onto an SSL cert is not effective in achieving the goal of "cold signing" as the SSL private key is typically kept online and cannot be used to sign a pubkey that is supposed to stay offline. The purpose of this process is not to protect against web server compromise, but rather to allow delegation of signing authority without giving the delegate access to the SSL private key. It is noted that the SSL PKI cannot handle compromised web servers at this time.
Updated on: 2023-06-06T15:32:24.005624+00:00