[Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA

Fraser Tweedale ftweedal at redhat.com
Tue Sep 22 02:54:38 UTC 2015 

On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. wrote:
> Hi all,
> Recently we needed to create a subordinate CA in FreeIPA and
> conveniently used the certificate profile feature in 4.2.0. For
> benefit of others, I have documented this in our blog,
> 
> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/
> 
> Any comments are appreciated.
> 
> Summary of the profile is:
> *) Set the CA flag set to true
> *) Set the appropriate Key Usage constraint.
> 
> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true
> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0
> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0
> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default
> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true
> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true
> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0
> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint
> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true
> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true
> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true
> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true
> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true
> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false
> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false
> 
> We have verified the certs issued with Sub-CA are accepted in browsers
> where only the Root CA is set as trusted.
> 
> -Kiran
> 
Thank you for sharing, Kiran!

A future version of FreeIPA will support creating sub-CAs via a
native plugin and allow specifying the desired issuer as an argument
to `ipa cert-request' and `ipa-getcert request'.

Regarding EV: the list of supported EV policies is maintained by
browser vendors and validation includes matching the policy OID with
the expected issuer.  Accordingly, even with the right Dogtag
profile you would have to modify the browser (or, possibly, some
configuration that is read by the browser) to attain the green bar.
It is probably not worth the effort :)

Cheers,
Fraser

More information about the Freeipa-users mailing list