[Pki-devel] What CA constraints?

[Rob Crittenden]

Shanks was testing signing an IPA CA cert request with an external CA 
and found an issue, see https://fedorahosted.org/freeipa/ticket/2019 for 
full details.

In short the issue is the CA he did the signing with wasn't really a 
full CA. It was lacking all sorts of constraints. I had him try again 
using a proper CA and it worked fine.

We'd like to detect this at install time, I'm just not exactly sure what 
the minimum requirements are. I also wonder if dogtag should be doing 
this enforcement or if IPA should (or both, perhaps).

Where should we start?

rob