[Freeipa-users] using pathlen:0 for freeipa's CA certificate?

Fraser Tweedale ftweedal at redhat.com
Fri May 15 11:35:28 UTC 2015 

On Fri, May 15, 2015 at 10:53:20AM +0200, Jan Cholasta wrote:
> Dne 15.5.2015 v 09:31 Martin Kosek napsal(a):
> >On 05/15/2015 09:22 AM, Fraser Tweedale wrote:
> >>On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:
> >>>Hi,
> >>>
> >>>Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
> >>>>On 05/04/2015 01:19 PM, Harald Dunkel wrote:
> >>>>>Hi folks,
> >>>>>
> >>>>>Instead of a self-signed certificate I would like to use an external
> >>>>>CA to sign freeipa's CSR ("ipa-server-install --external-ca").
> >>>>>Question:
> >>>>>
> >>>>>Is pathlen:0, e.g.
> >>>>>
> >>>>>    basicConstraints=critical,CA:TRUE, pathlen:0
> >>>>>
> >>>>>sufficient for freeipa's CA certificate?
> >>>>
> >>>>I would say it should be sufficient for FreeIPA CA for now, given it
> >>>>does not
> >>>>allow subordinate CAs. However, I am still CCing Fraser and Honza for
> >>>>reference, in case there would be some limitation in Dogtag/our CA
> >>>>certificate
> >>>>that would limit use of the basicConstraints extension.
> >>>
> >>>I'm not aware of any.
> >>>
> >>Yes, currently it is sufficient.  When FreeIPA has sub-CAs
> >>capability, a pathLenConstraint of zero will prevent the creation of
> >>valid sub-CAs.
> >>
> >>Martin, Jan, this is a situation I had not considered.  I propose
> >>that we should detect pathLenConstraint and error out if sub-CAs
> >>creation is attempted at a depth that cannot be valid.  If you agree
> >>I will add to design document.
> >
> >I agree. Please also add a ticket for this part. The check can be IMO
> >added to FreeIPA 4.2.1, it is not critical for 4.2 GA.
> 
Filed tickets:

- https://fedorahosted.org/pki/ticket/1383
- https://fedorahosted.org/freeipa/ticket/5024

I think we should enforce in Dogtag's sub-CA code but I filed the
IPA tracking ticket (4.2 Backlog for now) to make sure we handle the
case properly in IPA as well.

Cheers,
Fraser

> I believe there would be other things to check as well, e.g. directoryName
> name constraints.
> 
> >
> >>>>Note that this basiConstrain would surely prevent you from using the
> >>>>upcoming
> >>>>feature
> >>>>
> >>>>http://www.freeipa.org/page/V4/Sub-CAs
> >>>>
> >>>>but this is OK with you, I assume. BTW, Fraser, we should record a
> >>>>task to
> >>>>properly watch for the pathlen limitation and have nice error
> >>>>messages around
> >>>>it when admin attempts to use Sub-CAs.
> >>>>
> >>>>Final note, there is a related ticket:
> >>>>https://fedorahosted.org/freeipa/ticket/3466
> >>>>
> >>>>Martin
> >>>>
> >>>
> >>>Honza
> >>>
> >>>--
> >>>Jan Cholasta
> >
> 
> 
> -- 
> Jan Cholasta

More information about the Freeipa-users mailing list