This Site Has Been Decomissioned

This site remains for historical review purposes only. Any changes made to the data will not be saved.

NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0391:  Intermediate certificate requirements

Publication Date

Protection Profiles

Other References

Issue Description

The Test Assurance Activity for FIA_X509_EXT.1.1 states "The evaluator shall create a chain of at least four certificates: the node certificate to be tested, two Intermediate CAs, and the self-signed Root CA."  The SFR itself does not require two intermediate CAs, and having multiple intermediate CAs does not provide additonal security.


The introductory paragraph for the Test Assurance Activity shall be modified as follows:

The tests described must be performed in conjunction with the other certificate services assurance activities, including each of the functions in FIA_X509_EXT.2.1. The tests for the extendedKeyUsage rules are performed in conjunction with the uses that require those rules. The evaluator shall create a chain of at least four three certificates: the node certificate to be tested, two an Intermediate CAs, and the self-signed Root CA.


There must be at least one intermediate CA because the self-signed root CA should not be issuing certs.

Site Map              Contact Us              Home