[Pki-devel] What CA constraints?
Kashyap Chamarthy
kchamart at redhat.com
Fri Oct 21 17:57:34 UTC 2011
On 10/21/2011 09:50 PM, Rob Crittenden wrote:
> Shanks was testing signing an IPA CA cert request with an external CA and found an issue,
> see https://fedorahosted.org/freeipa/ticket/2019 for full details.
>
> In short the issue is the CA he did the signing with wasn't really a full CA. It was
> lacking all sorts of constraints. I had him try again using a proper CA and it worked fine.
Yeah, we were trying a trial and error using a self-signed CA with certutil w/o any
certificate constraints[1].
Side question:
Just curious, if we try with some of the constraints(-2 , -3, -4) using 'certutil,
'ipa-find' might've been successful? (though this might not be desired and use a proper CA)
-2, -3, -4 as defined in the certutil usage page --
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
[1]
http://kashyapc.wordpress.com/2011/10/12/configuring-certificate-chaining-using-mozilla-nssnetwork-security-services/
>
> We'd like to detect this at install time, I'm just not exactly sure what the minimum
> requirements are. I also wonder if dogtag should be doing this enforcement or if IPA
> should (or both, perhaps).
>
> Where should we start?
>
> rob
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
--
/kashyap
More information about the Pki-devel
mailing list