Delete Root CA key

[budulinek]

Root CA key should be stored offline, it should be deleted from LabCA once we generate Issuer CA. Suggestion:

1. Root CA upload: make Root CA key uploading optional (with a hint that Root CA's private key is only needed for Issuer CA generation, it is not stored by LabCA). If Root key is not uploaded, Issuer CA can not be generated (only uploaded).
2. Root CA generate: after the Root CA generation (before Issuer CA setup), Root CA key is shown to the user (plain text and/or file) with a message, something like "For comprehensive risk reduction, the Root CA's private key should be stored offline. Please copy this Root CA's private key and store it in secure, private and offline location. The Root CA's private key will be deleted from LabCA after Issuer CA generation!"
3. Issuer CA generate: after Issuer CA generation, Root CA private key is permanently deleted from LabCA.

[hakwerk]

This would indeed be a good practice, although LabCA should not be used in situations where the Root CA is super critical.

It would also be nice to be able to renew / replace Root and Issuer CA certificates.

[tjmullicani]

+1 I want to be able to use LabCA with my offline root CA, without having to expose my offline root private key. Option 1 (Root CA upload) seems like a good fit, especially if LabCA could generate an issuer CA CSR.

[hakwerk]

In the latest release (v23.06) it is now possible to keep the Root CA private key offline as requested