Goals
The Intermediate Certificate Authority (ICA) is a non-central, backend component of the SCMS. There may be many instances of ICAs within the system. The ICA authorizes all other non-central components including ECAs, PCAs, RAs, LAs, or additional ICAs. Adding a new ICA to the system makes the new ICA available to authorize new components.
An ICA is intended to be an offline component, meaning that it should be configured with no direct network access or address. A local ICA Manager operates the ICA manually. The specific details of how the operator presents messages to the ICA is implementation-specific and subject to review by a certification procedure approved by the SCMS Manager.
Procedure
The procedure required for adding an ICA to the system depends on whether the new ICA is replacing a previously revoked or removed ICA or if it is a net-new component.
New ICA
A new ICA must be properly set-up using the process described in the Setup ICA use case. Since the ICA operates offline, there are no network addresses or other parameters to configure when adding the ICA.
Note that if the new ICA issues a certificate for a PCA or RA, then the Add PCA use case will cause the ICA to be registered with the Policy Generator (PG) for inclusion in future updates to the Global Certificate Chain File (GCCF). There is no need to register the ICA with the PG until a new PCA or RA is added. All other components that are issued certificates by the ICA will make the ICA certificate available to recipients of their messages when required.
Re-Certified ICA
An ICA certificate has a limited useful life that is shorter than the expiration period of the certificate. When an ICA certificate is retired, the current private key must be deleted, a new key pair must be generated, and a new certificate must be issued. There are no additional actions needed to add or enable the new ICA certificate. As with the procedure for adding a new ICA (above), there is no need to communicate the new ICA certificate to the PG or any other components.
Replacement ICA
When replacing an ICA that was previously removed or revoked, the new component must first be set up using the Setup ICA use case. The local ICA Manager must then use the new component to re-issue certificates to all of the components that were previously authorized under the ICA that was removed or revoked, see Step 11.2.1 - Revoke ICA
