[EPIC] Auto-Generated Issuing CAs

[AlexHx8472]

Introduction Discuss with @Aircoookie in regards to Signature Suites. We either want to automatically generate one hierarchy for every 'common' signature suite, or we may want to let the user explicitly create such hierarchies while selecting the required signature suite.

Acceptance Criteria

• [x] Job Story #122 : Allow the use of the local auto-generated Issuing CA only on levels 0 and 1 (Dev/Basic)

[Aircoookie]

The current implementation just generates a single hierarchy. We want to avoid a mixed hierarchy (with a common root CA and different issuing CA and/or EE signature suites), as this may make it impossible for entities to validate the chain if they don't support all utilitzed signature suites.

Some ideas for discussion later:

• generate 2-3 fixed hierarchies with common signature suites
  • easiest, alleviates the burden of choosing sig suite from the user to some degree
  • inflexible
  • generates CAs with sig suites the user may not need or want
• offer checkboxes to select the desired signature suites in security settings
  • only creates hierarchies actually desired
  • added complexity when enabling/disabling hierarchies
  • user has to think about which sig suites to enable, which requires some domain knowledge we would ideally like to abstract away
• generate no PKI during enabling of the Auto Gen PKI setting, but allow the user to create local self-gen Issuing CAs. Each time a CA is requested with a sig suite that doesn't have a corresponding local root CA yet, that is generated too.
  • most flexible, also allows testing various domain configurations during evaluation
  • easier to support rollover processes etc. in the future
  • user has to decide which sig suite to use, but that could be alleviated by providing a reasonable default and having the sig suite dropdown under an "Advanced" label
  • a bit more complex implementation