Issuing TSA (Time Stamping Authority) certificates

Question

What is a practice for issuing TSA (Time Stamping Authority) certificates?

I read that TSA certificates should be issued directly from Root CA, but basically TSA certificate is end entity certificate and Root CA should't be issuing certificates for end entities.

Should I issue TSA certificate from Root CA or should I issue dedicated Intermediate CA for issuing TSA certificate?

What is your source for the recommendation? How are you going to use the TSA? How many people will use it? How will you roll out your CA certificate to those people's computers? — StackzOfZtuff, Jan 29 '18 at 20:51

score 1 · Answer 1 · answered Oct 31 '17 at 09:36

Your argument is correct, in most cases you should create an intermediate certificate, which issues your timestamping certificate.

The only reason I can think of for creating it directly from root would be, that managers of very small PKIs want to avoid the additional administrative overhead of an extra intermediate CA for a certificate type which will only be issued very seldom (probably less than one certificate per year). It can be done in a private enterprise setting, but it is definitely bad practice.

Issuing TSA (Time Stamping Authority) certificates

1 Answers1