Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.
Sign up to join this community
Is it possible to change the "issuer" value in a CA so that when a new certificate is issued, the new "issuer" value appears?
In the case of having several SubCa, is it possible to match the same "issuer" in the certificates of all the SubCa or would it generate conflict?
In terms of certificate path validation, a CA is identified by the unique combination of its Subject Name and its Public Key. If you change either, it is a different certificate.
Administratively, a CA may have more than one signing key (and therefore more than one public key), but they are considered completely different and unrelated as far as certificate path validation is concerned. For example, the Acme Sub CA may have an RSA and an ECDSA signing key. A certificate signed by Acme Sub CAs RSA key will not validate with the Acme Sub CAs ECDSA key, and vice versa. Even if it had two RSA keys, a certificate signed by one would not validate with the other.
Is it possible to change the "issuer" value in a CA so that when a new certificate is generated the new "issuer" value appears?
If you change the issuer field, you are effectively just creating a new CA.
In the case of having several SubCa, is it possible to match the same "issuer" in the certificates of all the SubCa or would it generate conflict?
I will assume that by "issuer" in the certificates of all the SubCa that you mean all subscriber certificates issued by the CA. The Issuer of the SubCA itself is more than likely the Root CA and it is quite common for that to sign multiple SubCAs, all of which will therefore have an Issuer of "Acme Root CA".
A CA may have several instances of their software running behind a load-balancer. The first subscriber may access the 1st instance for signing and the second subscriber may access the 2nd instance for signing, and so on. In this scenario the Subject of the CA certificate (and hence the Issuer of the subscriber's certificate) is the same, and the CA software would use the same key for signing these. From a certificate path validation perspective, it makes no difference.
If, by several, you mean you have different software instances, each with their own signing keys, but with the same Subject (and hence same Issuer in the subscriber certificate) then these are effectively just different CAs from a path validation point of view.
Finally, note that you can only change the Issuer field of the SubCA by getting the parent CA (the Root, more than likely) to sign a new CA certificate for it. If you write your own software which uses the Acme Sub CA certificate and signing key, but outputs subscriber certificates with a different Issuer field, then it will simply fail path validation as the relying party will never match both the Public Key and Subject (see my first sentence of this answer).
All the gory details are in RFC 5280 Section 6
No, you can't change it. Issuer field is automatically generated by CA and it matches the CA name.
