[Pki-devel] Design review request: RFC 2818 certificate compliance
Fraser Tweedale
ftweedal at redhat.com
Fri Mar 11 01:06:29 UTC 2016
On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote:
> Hi,
>
> On 29.2.2016 07:59, Fraser Tweedale wrote:
> >Hi all (especially those interested in certificates),
> >
> >Please provide early review of my design for RFC 2818 compliance
> >which will address the following tickets:
> >
> >- #4970 Server certificate profile should always include a Subject Alternate name for the host
> >- #5706 [RFE] Support SAN-only certificates
> >
> >http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance
> >
> >The design is a WIP and there is no code for it yet. Looking for
> >feedback and (hopefully) validation of the approach before
> >committing cycles to implementing new profile components in Dogtag.
>
> 1) Do wildcard certificates need special handling? There is no mention of
> them in the design doc.
>
No special handling of wildcard certs is needed but I've added some
commentary to the design page.
> 2) Should we accept invalid CSR where CN length is greater than 64? I
> wouldn't be surprised if these existed in the wild.
>
Good question. I agree such CSRs probably exist. There are various
ways to handle them:
a) Reject request (with useful message; instruction to issue
SAN-only request instead)
b) Issue non-compliant cert with overlong CN. It will be helpful to
find out how important clients handle such certs.
c) Accept the CSR but "promote" the overlong CN from CSR into a SAN
dnsName, and issue a SAN-only cert. Some clients may not handle
such certs very well.
Personally I like (c), because the user intent is clear but we still
issue a valid cert, however, I expect there are clients out there
(particularly in "enterprise" environments?) that will not handle it
well.
I've copied pki-devel@ to solicit additional insights here :)
> 3) Sometimes it is not clear which parts belong to Dogtag and which to IPA
> itself. For example the upgrade section - I assume Dogtag should update
> registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated
> anywhere.
>
Thanks, I've added clarifying remarks. In brief: yes Dogtag should
update registry.cfg, but FreeIPA should update the profile.
Thank you for your feedback, Jan.
Fraser
More information about the Pki-devel
mailing list