Simulating a data breach scenario

In the Search Guard documentation for the online certificate generator, there is a section which describes signing node and client certificates with an intermediate CA, reasoning that if a data breach occurs, it is simple to revoke an intermediate CA certificate instead of revoking and regenerating the root CA certificate, and effectively the entire chain of trust.

When using the offline TLS generator, I’m trying to simulate revoking an intermediate certificate by deleting all certificates and keys in the output directory except for the root certificate and key. My assumption is that if I were to use the configuration YAML I originally used to create the certificates, it would recognize the existence of root certificate and key already, and proceed to creating a new intermediate CA certificate and key and then all the required node and client certificates and keys.

When I run in this scenario, it outputs the error “out/my-test-ca.key” does already exist."

Why is this the case? Shouldn’t create a new intermediate CA because the root CA already exists?

You can add more certificates running the Search Guard TLS tool multiple times. If you run the tool multiple times, the requirements are

  • the root CA and, if used, the intermediate certificates and keys must be present in the output folder
  • the password of the root CA and, if used, the intermediate CA must be present in the config file

If you want to deprecate the intermediate CA, you need to create the new intermediate CA certificate manually and place it in the output folder.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.