Can the Root CA private key be removed from the IGEL UMS after the signed client certificate is created?

Hi All, We preparing to install ICG and have a question about Cert for ICG. We planned to go with Creating certificates from an Existing Root Certificate. It involves using Root CA private key from CA certificate to create a signed client certificate. Can the Root CA private key be removed from the UMS after the signed client certificate is created? There may be some concerns having the Root CA private key left on a DMZ server, if it can’t be deleted.

Learn more, read the entire thread inside the IGEL Community o Slack

I don’t fully have an answer for you as that is a bit outside my wheelhouse. However, I do have a question. Are you saying your UMS server is in the DMZ?

UMS is in LAN and ICG is in DMZ. ICG will be installed via Remote installer.

You generate a privaze key for your ICG server and create da Signing Request (CSR) from it. With the CSR you can create the certificate on your CA server. Than you import the generated private key and the new certificate into your UMS – you alos need to import the certificates of your CA and (if used) intermediate CA – no need to import a private key from a CA. It is the same as if you use a public CA – you only get their certificate chain and no private key from them.

Then, you don’t have to worry, the ROOT CA and the according key will never leave your LAN, both stays in your UMS. They are needed there for issuing and verifying.

Continue reading and comment on the thread ‘Can the Root CA private key be removed from the IGEL UMS after the signed client certificate is created?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base


Ask a question or comment on the above message thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!

Popular Message Threads

Categories & Tags: