[Freeipa-users] using pathlen:0 for freeipa's CA certificate?

Jan Cholasta jcholast at redhat.com
Fri May 15 08:53:20 UTC 2015 

Dne 15.5.2015 v 09:31 Martin Kosek napsal(a):
> On 05/15/2015 09:22 AM, Fraser Tweedale wrote:
>> On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
>>>> On 05/04/2015 01:19 PM, Harald Dunkel wrote:
>>>>> Hi folks,
>>>>>
>>>>> Instead of a self-signed certificate I would like to use an external
>>>>> CA to sign freeipa's CSR ("ipa-server-install --external-ca").
>>>>> Question:
>>>>>
>>>>> Is pathlen:0, e.g.
>>>>>
>>>>>     basicConstraints=critical,CA:TRUE, pathlen:0
>>>>>
>>>>> sufficient for freeipa's CA certificate?
>>>>
>>>> I would say it should be sufficient for FreeIPA CA for now, given it
>>>> does not
>>>> allow subordinate CAs. However, I am still CCing Fraser and Honza for
>>>> reference, in case there would be some limitation in Dogtag/our CA
>>>> certificate
>>>> that would limit use of the basicConstraints extension.
>>>
>>> I'm not aware of any.
>>>
>> Yes, currently it is sufficient.  When FreeIPA has sub-CAs
>> capability, a pathLenConstraint of zero will prevent the creation of
>> valid sub-CAs.
>>
>> Martin, Jan, this is a situation I had not considered.  I propose
>> that we should detect pathLenConstraint and error out if sub-CAs
>> creation is attempted at a depth that cannot be valid.  If you agree
>> I will add to design document.
>
> I agree. Please also add a ticket for this part. The check can be IMO
> added to FreeIPA 4.2.1, it is not critical for 4.2 GA.

I believe there would be other things to check as well, e.g. 
directoryName name constraints.

>
>>>> Note that this basiConstrain would surely prevent you from using the
>>>> upcoming
>>>> feature
>>>>
>>>> http://www.freeipa.org/page/V4/Sub-CAs
>>>>
>>>> but this is OK with you, I assume. BTW, Fraser, we should record a
>>>> task to
>>>> properly watch for the pathlen limitation and have nice error
>>>> messages around
>>>> it when admin attempts to use Sub-CAs.
>>>>
>>>> Final note, there is a related ticket:
>>>> https://fedorahosted.org/freeipa/ticket/3466
>>>>
>>>> Martin
>>>>
>>>
>>> Honza
>>>
>>> --
>>> Jan Cholasta
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list