[Pki-devel] What CA constraints?
Rob Crittenden
rcritten at redhat.com
Fri Oct 21 16:20:40 UTC 2011
Shanks was testing signing an IPA CA cert request with an external CA
and found an issue, see https://fedorahosted.org/freeipa/ticket/2019 for
full details.
In short the issue is the CA he did the signing with wasn't really a
full CA. It was lacking all sorts of constraints. I had him try again
using a proper CA and it worked fine.
We'd like to detect this at install time, I'm just not exactly sure what
the minimum requirements are. I also wonder if dogtag should be doing
this enforcement or if IPA should (or both, perhaps).
Where should we start?
rob
More information about the Pki-devel
mailing list