[Freeipa-users] using pathlen:0 for freeipa's CA certificate?

[Martin Kosek]

On 05/15/2015 09:22 AM, Fraser Tweedale wrote:
> On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
>>> On 05/04/2015 01:19 PM, Harald Dunkel wrote:
>>>> Hi folks,
>>>>
>>>> Instead of a self-signed certificate I would like to use an external
>>>> CA to sign freeipa's CSR ("ipa-server-install --external-ca").
>>>> Question:
>>>>
>>>> Is pathlen:0, e.g.
>>>>
>>>> 	basicConstraints=critical,CA:TRUE, pathlen:0
>>>>
>>>> sufficient for freeipa's CA certificate?
>>>
>>> I would say it should be sufficient for FreeIPA CA for now, given it does not
>>> allow subordinate CAs. However, I am still CCing Fraser and Honza for
>>> reference, in case there would be some limitation in Dogtag/our CA certificate
>>> that would limit use of the basicConstraints extension.
>>
>> I'm not aware of any.
>>
> Yes, currently it is sufficient.  When FreeIPA has sub-CAs
> capability, a pathLenConstraint of zero will prevent the creation of
> valid sub-CAs.
>
> Martin, Jan, this is a situation I had not considered.  I propose
> that we should detect pathLenConstraint and error out if sub-CAs
> creation is attempted at a depth that cannot be valid.  If you agree
> I will add to design document.

I agree. Please also add a ticket for this part. The check can be IMO added to 
FreeIPA 4.2.1, it is not critical for 4.2 GA.

>>> Note that this basiConstrain would surely prevent you from using the upcoming
>>> feature
>>>
>>> http://www.freeipa.org/page/V4/Sub-CAs
>>>
>>> but this is OK with you, I assume. BTW, Fraser, we should record a task to
>>> properly watch for the pathlen limitation and have nice error messages around
>>> it when admin attempts to use Sub-CAs.
>>>
>>> Final note, there is a related ticket:
>>> https://fedorahosted.org/freeipa/ticket/3466
>>>
>>> Martin
>>>
>>
>> Honza
>>
>> --
>> Jan Cholasta