🏷️ CA Trust Flags System - Specification

Date: 2025-10-02 Status: 🚧 IN DEVELOPMENT Version: 1.0

📋 Overview

System of cumulative trust flags for Certificate Authorities (CAs) to provide visual security and operational indicators in the PKI system.

Design Philosophy: - Cumulative flags within categories (not exclusive enum) - Auto-detection where possible (minimize manual tagging) - Visual badges for dashboard quick assessment - Audit trail for flag changes

🔐 Category: Security Level (Mutually Exclusive)

Only ONE security flag per CA at any time.

Flag Badge Color Description Auto-Detection Rule
very_secure 🟢 VERY SECURE Green Has always been internal and has never been without a password. trust_origin == 'internal' AND NEVER_WITHOUT_PASSWORD
secure 🟡 SECURE Yellow Is internal but was once without a password, OR has been imported/exported but has never been without a password. (trust_origin == 'internal' AND WAS_WITHOUT_PASSWORD) OR (trust_origin != 'internal' AND NEVER_WITHOUT_PASSWORD)
normal 🟠 NORMAL Orange Has been imported/exported and was once without a password. trust_origin != 'internal' AND WAS_WITHOUT_PASSWORD
compromised 🔴 COMPROMISED Red Key compromised - revocation required Manual flag OR security incident detection

State Transitions: - A CA's security level is dynamically calculated based on its origin and password history. - The compromised state is a manual override and is irreversible. - NEVER_WITHOUT_PASSWORD: The CA was created with password protection and has never had it removed. - WAS_WITHOUT_PASSWORD: The CA was created without password protection or has had it removed at some point.

Core Principle: Trust is a One-Way Street ⚠️ A Certificate Authority's security level can NEVER be upgraded. It is dynamically calculated based on its history (origin and password status). Once a CA has been in a less secure state (e.g., exported, or without a password), it can never regain a higher trust level, even if conditions change (e.g., a password is added). This prevents rewriting history and ensures a reliable trust assessment.

📦 Category: Origin (Mutually Exclusive)

Only ONE origin flag per CA at any time.

Flag Badge Color Description Trigger
internal 🏠 INTERNAL Blue Generated internally by PKIaaS Default on CA creation
imported 📥 IMPORTED Purple Imported from external system Import of external CA cert + key
exported 📤 EXPORTED Orange Private key exported externally Download of private key (PKCS#12, PEM)

State Transitions:

[Creation]  internal
internal + export private key  exported
[Import CA]  imported

Notes: - Once exported, stays exported forever (key left the system) - imported means we don't know full key history (trust lower) - Can't go back to internal once exported or imported

🔄 Category: Lifecycle (Cumulative)

Multiple lifecycle flags can be active simultaneously.

Flag Badge Color Description Trigger
rotated 🔄 ROTATED Cyan CA has been renewed/rotated CA rotation performed
cross_signed ⚡ CROSS-SIGNED Yellow Cross-signed with another CA Cross-signing established
retired 💤 RETIRED Gray CA retired (not revoked) Manual retirement or end-of-life

Examples: - A CA can be both rotated AND cross_signed - A CA can be retired but still valid for verification

⚙️ Category: Operational (Cumulative) - FUTURE

Proposed for future implementation:

Flag Badge Description Trigger
hsm_backed 🔒 HSM Private key in Hardware Security Module NitroKey/HSM integration
air_gapped 🌐 AIR-GAPPED Offline root CA (no recent signing) No certificate signed in 30+ days
high_volume 📈 HIGH-VOLUME High certificate issuance volume > 1000 certificates issued
auto_renewal 🔁 AUTO-RENEW Auto-renewal enabled auto_renewal_enabled=true
manual_approval ✋ APPROVAL Requires manual approval approval_mode=manual
acme_enabled 🤖 ACME ACME server enabled acme_public_enabled=true
mfa_required 🛡️ MFA Multi-factor auth required MFA policy enabled
offline_root 🔐 OFFLINE Offline root CA (never online) Root CA + never signed anything

🎯 Category: Compliance (Cumulative) - FUTURE

Proposed for compliance tracking:

Flag Badge Description
audited ✅ AUDITED Recent external audit passed
gdpr_compliant 📜 GDPR GDPR compliance verified
soc2_compliant 📋 SOC2 SOC2 Type II certified
hipaa_compliant 🏥 HIPAA HIPAA compliance verified

💾 Database Schema

CertificateAuthorities Table - New Columns

-- Security flags (mutually exclusive)
trust_security_level VARCHAR(20) DEFAULT 'secure'
    CHECK (trust_security_level IN ('very_secure', 'secure', 'compromised'))

-- Origin flags (mutually exclusive)
trust_origin VARCHAR(20) DEFAULT 'internal'
    CHECK (trust_origin IN ('internal', 'imported', 'exported'))

-- Lifecycle flags (cumulative - JSON array)
trust_lifecycle_flags JSON DEFAULT '[]'
    -- Example: ["rotated", "cross_signed"]

-- Operational flags (cumulative - JSON array) - FUTURE
trust_operational_flags JSON DEFAULT '[]'

-- Compliance flags (cumulative - JSON array) - FUTURE
trust_compliance_flags JSON DEFAULT '[]'

-- Metadata
trust_flags_last_updated_at TIMESTAMP
trust_flags_audit_log JSON DEFAULT '[]'
    -- Track who changed what flag when

🎨 UI/UX Guidelines

Dashboard CA List

┌─────────────────────────────────────────────────────────────────┐
│ Root CA - RDEM Systems SAS                                      │
│ 🟢 VERY SECURE  🏠 INTERNAL  💤 RETIRED                        │
│ Expires: 2034-10-02  │  3 certificates  │  Status: Retired     │
└─────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│ Intermediate CA - Web Servers                                   │
│ 🟡 SECURE  📤 EXPORTED  🔄 ROTATED  ⚡ CROSS-SIGNED           │
│ Expires: 2027-10-02  │  1,247 certificates  │  Status: Active  │
└─────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│ Test CA - Development                                           │
│ 🔴 COMPROMISED  🏠 INTERNAL                                     │
│ Expires: 2025-12-01  │  23 certificates  │  Status: ⚠️ ACTION │
└─────────────────────────────────────────────────────────────────┘

CA Details Page

Trust & Security Status

Security Level:     🟢 VERY SECURE
                    Password-protected from creation
                    Never downgraded to secure mode

Origin:             🏠 INTERNAL
                    Generated by PKIaaS on 2024-09-15
                    Private key never exported

Lifecycle:          🔄 ROTATED   CROSS-SIGNED
                    - Rotated on 2025-01-10
                    - Cross-signed with "Old Root CA" on 2025-01-10

Last Updated:       2025-10-02 08:00:00 by admin@example.com

Badge Color Scheme

Security: - 🟢 Green → very_secure (best) - 🟡 Yellow → secure (standard) - 🔴 Red → compromised (critical)

Origin: - 🏠 Blue → internal (most trusted) - 📥 Purple → imported (medium trust) - 📤 Orange → exported (lower trust)

Lifecycle: - 🔄 Cyan → rotated - ⚡ Yellow → cross_signed - 💤 Gray → retired

🔄 Auto-Detection Logic

On CA Creation

$ca->trust_security_level = $password ? 'very_secure' : 'secure';
$ca->trust_origin = 'internal';
$ca->trust_lifecycle_flags = [];

On Password Set

// If CA was created without password, it stays 'secure'
if ($ca->trust_security_level === 'secure') {
    // Do NOT upgrade to very_secure
    // Just enable password protection
    $ca->password_protected_encryption = true;
}

On Private Key Export

$ca->trust_origin = 'exported';
$ca->logTrustFlagChange('origin', 'internal', 'exported', 'Private key exported to PKCS#12');

On CA Rotation

$ca->addLifecycleFlag('rotated');
$ca->addLifecycleFlag('cross_signed'); // If cross-signing performed

On Compromise Detection

$ca->trust_security_level = 'compromised';
$ca->logSecurityIncident('CA marked as compromised: ' . $reason);
// Trigger alert to admins

📊 Audit Trail

Every trust flag change is logged:

{
  "timestamp": "2025-10-02T08:15:00Z",
  "user_id": 1,
  "user_email": "admin@example.com",
  "flag_type": "security",
  "old_value": "very_secure",
  "new_value": "secure",
  "reason": "Password protection removed by admin",
  "ip_address": "192.168.1.100"
}

🚀 Implementation Phases

Phase 1: Core Flags (THIS SPRINT) ✅

  • Security flags: very_secure, secure, compromised
  • Origin flags: internal, imported, exported
  • Lifecycle flags: rotated, cross_signed, retired
  • Dashboard badges display
  • Auto-detection on creation/export

Phase 2: Operational Flags

  • HSM integration detection
  • Air-gapped detection
  • High-volume detection
  • ACME/auto-renewal badges

Phase 3: Compliance & Advanced

  • Compliance flags (GDPR, SOC2, HIPAA)
  • MFA requirements
  • Advanced audit reporting

🔒 Security Considerations

  1. Immutable Downgrades: Once exported or imported, can't go back to internal
  2. No Upgrades: secure can never become very_secure (prevents false sense of security)
  3. Compromise Flag: Irreversible once set (requires CA replacement)
  4. Audit Log: All flag changes tracked with user/timestamp/reason

📚 References

  • RFC 5280: X.509 Certificate and CRL Profile
  • CA/Browser Forum Baseline Requirements
  • NIST SP 800-57: Key Management Guidelines
  • WebTrust Principles and Criteria for CAs

Document Owner: PKIaaS Development Team Last Updated: 2025-10-02 Status: Ready for implementation Phase 1