Digital Certificates › General Rules › Change a Certificate's Trust Status › Trust Status with PKCS 7 and PKCS 12 Certificates

Trust Status with PKCS 7 and PKCS 12 Certificates

On an add of PKCS 7 certificate packages, if there is more than one certificate in the package, the 2nd certificate through the last certificate are considered to be CA certificates.

On an add of PKCS 12 certificate packages, any certificate that does not have a “local key id” is considered to be a CA certificate. The “local key id" is a string that allows keys and certificates to be matched (same id means matched).

The CA certificates are sorted to determine the hierarchy. They are then added under the CERTAUTH ACID from the top CA to the lowest CA so that each certificate in the package can be verified using it's previously added signing certificate. Then the end-entity certificate is added.

The CA certificates added have a record ACID and label in the format CERTAUTH.AUTOnnnn, where the nnnn is a number between 0 and 9999. The highest level CA certificate will not necessarily have an AUTOnnnn number less that the other CA certificates being added.

When CA certificates are added from a PKCS 7 or PKCS 12 chain, the following rules apply:

• If the certificate has already been added and has HITRUST status, the certificate retains the HITRUST status.
• The trust status specified on the command applies to the top level CA certificate. This sets up the TRUST status so that subsequent adds of the other CA certificates and end-entity certificate can inherit the status from it's signing certificate. HITRUST status is ignored if the record is for an ACID other then CERTAUTH.
• When no trust status is specified for all lower CA's in the certificate chain:
  • If the certificate has one or more of the following inconsistencies, the certificate is added with NOTRUST status:
    • The certificate is expired
    • The validity period does not fall within the signer's validity period
    • The issuer of the certificate is missing from the package and is not already in the CA Top Secret database
    • The certificate has an unknown signature algorithm
  • If no inconsistencies are detected, the certificate is added and inherits the trust status of the signing certificate
• HITRUST is inherited from the parent only if the target ACID on the add command is CERTAUTH. In all other cases, the trust status changes to TRUST.
• If an error occurs during an add from a PKCS 7 or PKCS 12 certificate package, there is no back-out processing. Certificates already added are not removed.
• If the above rules conflict, the first one that matches applies.