[Freeipa-users] using pathlen:0 for freeipa's CA certificate?
Jan Cholasta
jcholast at redhat.com
Fri May 15 05:59:27 UTC 2015
Hi,
Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
> On 05/04/2015 01:19 PM, Harald Dunkel wrote:
>> Hi folks,
>>
>> Instead of a self-signed certificate I would like to use an external
>> CA to sign freeipa's CSR ("ipa-server-install --external-ca").
>> Question:
>>
>> Is pathlen:0, e.g.
>>
>> basicConstraints=critical,CA:TRUE, pathlen:0
>>
>> sufficient for freeipa's CA certificate?
>
> I would say it should be sufficient for FreeIPA CA for now, given it does not
> allow subordinate CAs. However, I am still CCing Fraser and Honza for
> reference, in case there would be some limitation in Dogtag/our CA certificate
> that would limit use of the basicConstraints extension.
I'm not aware of any.
>
> Note that this basiConstrain would surely prevent you from using the upcoming
> feature
>
> http://www.freeipa.org/page/V4/Sub-CAs
>
> but this is OK with you, I assume. BTW, Fraser, we should record a task to
> properly watch for the pathlen limitation and have nice error messages around
> it when admin attempts to use Sub-CAs.
>
> Final note, there is a related ticket:
> https://fedorahosted.org/freeipa/ticket/3466
>
> Martin
>
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list