[Freeipa-users] using pathlen:0 for freeipa's CA certificate?
Fraser Tweedale
ftweedal at redhat.com
Fri May 15 07:22:37 UTC 2015
On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:
> Hi,
>
> Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
> >On 05/04/2015 01:19 PM, Harald Dunkel wrote:
> >>Hi folks,
> >>
> >>Instead of a self-signed certificate I would like to use an external
> >>CA to sign freeipa's CSR ("ipa-server-install --external-ca").
> >>Question:
> >>
> >>Is pathlen:0, e.g.
> >>
> >> basicConstraints=critical,CA:TRUE, pathlen:0
> >>
> >>sufficient for freeipa's CA certificate?
> >
> >I would say it should be sufficient for FreeIPA CA for now, given it does not
> >allow subordinate CAs. However, I am still CCing Fraser and Honza for
> >reference, in case there would be some limitation in Dogtag/our CA certificate
> >that would limit use of the basicConstraints extension.
>
> I'm not aware of any.
>
Yes, currently it is sufficient. When FreeIPA has sub-CAs
capability, a pathLenConstraint of zero will prevent the creation of
valid sub-CAs.
Martin, Jan, this is a situation I had not considered. I propose
that we should detect pathLenConstraint and error out if sub-CAs
creation is attempted at a depth that cannot be valid. If you agree
I will add to design document.
Cheers,
Fraser
> >
> >Note that this basiConstrain would surely prevent you from using the upcoming
> >feature
> >
> >http://www.freeipa.org/page/V4/Sub-CAs
> >
> >but this is OK with you, I assume. BTW, Fraser, we should record a task to
> >properly watch for the pathlen limitation and have nice error messages around
> >it when admin attempts to use Sub-CAs.
> >
> >Final note, there is a related ticket:
> >https://fedorahosted.org/freeipa/ticket/3466
> >
> >Martin
> >
>
> Honza
>
> --
> Jan Cholasta
More information about the Freeipa-users
mailing list