Maintaining the rootstore

Activities

The following activies are needed for the rootstore:

Adding new roots

There are two occasions upon which a new root is added

In the first case, the CA first have to pass through a procedure designed to make sure only real CAs get admitted to the rootstore.

In the second, the CA is already authorized, and no further vetting at that level is needed.

Before adding a certificate it should be verified that the person submitting the certificates is authorized to do so, then:

Removing obsolete certificates

Certificates are only valid for a certain time. When removing or updating a certificate the old include file declarations and the entry in the repository table is at least commented out. Optionally they can be deleted, but having a trace of what certificates have been included in the repository is most preferable.

Removing roots for renegade CAs

While this is a rare event (we hope) a CA may start issuing certificates that are not thrustworthy. In such cases it may not be enough to just disable the root, it may be necessary to forcibly remove the root in each installed client, as well as marking the CA as untrusted.

In such cases:

This functionality will only work for client versions that have a remote update capability.