[Pki-devel] What CA constraints?
Christina
cfu at redhat.com
Fri Oct 21 16:46:42 UTC 2011
On 10/21/2011 09:20 AM, Rob Crittenden wrote:
> Shanks was testing signing an IPA CA cert request with an external CA
> and found an issue, see https://fedorahosted.org/freeipa/ticket/2019
> for full details.
>
> In short the issue is the CA he did the signing with wasn't really a
> full CA. It was lacking all sorts of constraints. I had him try again
> using a proper CA and it worked fine.
>
> We'd like to detect this at install time, I'm just not exactly sure
> what the minimum requirements are. I also wonder if dogtag should be
> doing this enforcement or if IPA should (or both, perhaps).
>
> Where should we start?
>
> rob
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
The short answer is, at the minimum you need to have the Basic
Constraints extension, but then you also need to have others like
Authority Key Identifier. The key usage has to be right, etc. you can
look up x509 rfc.
Dogtag does have self test module to test the system certs when they are
started. In the CA's case, it should report it if it's not a proper
CA. I believe the test is on by default. You can look in CS.cfg for
ca.cert.signing.nickname and make sure your new nickname is there ...
you can also see the pairing ca.cert.signing.certusage=SSLCA, which is
to tell the server that it is expected to be a CA cert, so that the
server will report error and refuse to start if fails the test.
Christina
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5130 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20111021/cc1d1815/attachment.p7s>
More information about the Pki-devel
mailing list