[Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA
Silver Sky Soft Services, Inc.
contactus at silverskysoft.com
Tue Sep 22 01:44:30 UTC 2015
Hi all,
Recently we needed to create a subordinate CA in FreeIPA and
conveniently used the certificate profile feature in 4.2.0. For
benefit of others, I have documented this in our blog,
http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/
Any comments are appreciated.
Summary of the profile is:
*) Set the CA flag set to true
*) Set the appropriate Key Usage constraint.
policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true
policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0
policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0
policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default
policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true
policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true
policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0
policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true
policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false
policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true
policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true
policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false
We have verified the certs issued with Sub-CA are accepted in browsers
where only the Root CA is set as trusted.
-Kiran
More information about the Freeipa-users
mailing list