Separating digital certificate and key updating processes

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. General description

Enabling technical administrators to update certificates of service providers and the list of Accredited key certification centers for the Platform and registries separately from the service key update procedure.

User roles

Technical registry administrator
Technical administrator of the Platform

2. Functional scripts

Update of data for key verification (root certificates CACertificates.p7b and list of Accredited key certification centres CAs.json) through the admin console
Updating key data
Updating the list of allowed keys

3. General provisions

After updating key secrets, the DSO component must be restarted in order for the new values to be pulled
When creating and editing the registry or the Platform, the menu items Key data, Key verification data and The Allowed Key List must be configured separately and independently of each other
Separate settings apply to all types of keys (hardware and file)

4. Existing solution design

Functionality for updating keys, certificates and the list of Accredited key certification centers is combined together, and all fields are mandatory.

Current implementation drawbacks

To replace the certificates CACertificates.p7b and the list of Accredited key certification centres, the administrator must also update the registry keys.