[Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA

Silver Sky Soft Services, Inc. contactus at silverskysoft.com
Tue Sep 22 03:32:17 UTC 2015 

Hi Fraser,
Thanks. I actually looked at your proposal. It certainly makes it
easier. But hopefully the info we put in will help others in need.

The EV bar - we are finishing up on a detailed analysis. In summary,
its actually not possible to get green bar without recompiling
Mozilla/Chrome (which makes it an impractical solution to work with
for anything but very small networks). IE on the other hand is simpler
if you have AD environment.

-Kiran

On Mon, Sep 21, 2015 at 7:54 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:
> On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. wrote:
>> Hi all,
>> Recently we needed to create a subordinate CA in FreeIPA and
>> conveniently used the certificate profile feature in 4.2.0. For
>> benefit of others, I have documented this in our blog,
>>
>> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/
>>
>> Any comments are appreciated.
>>
>> Summary of the profile is:
>> *) Set the CA flag set to true
>> *) Set the appropriate Key Usage constraint.
>>
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0
>> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
>> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default
>> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true
>> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true
>> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0
>> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
>> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint
>> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false
>>
>> We have verified the certs issued with Sub-CA are accepted in browsers
>> where only the Root CA is set as trusted.
>>
>> -Kiran
>>
> Thank you for sharing, Kiran!
>
> A future version of FreeIPA will support creating sub-CAs via a
> native plugin and allow specifying the desired issuer as an argument
> to `ipa cert-request' and `ipa-getcert request'.
>
> Regarding EV: the list of supported EV policies is maintained by
> browser vendors and validation includes matching the policy OID with
> the expected issuer.  Accordingly, even with the right Dogtag
> profile you would have to modify the browser (or, possibly, some
> configuration that is read by the browser) to attain the green bar.
> It is probably not worth the effort :)
>
> Cheers,
> Fraser

More information about the Freeipa-users mailing list