[Pki-devel] What CA constraints?
Andrew Wnuk
awnuk at redhat.com
Sat Oct 22 11:05:49 UTC 2011
On 10/21/2011 9:46 AM, Christina wrote:
> On 10/21/2011 09:20 AM, Rob Crittenden wrote:
>> Shanks was testing signing an IPA CA cert request with an external CA
>> and found an issue, see https://fedorahosted.org/freeipa/ticket/2019
>> for full details.
>>
>> In short the issue is the CA he did the signing with wasn't really a
>> full CA. It was lacking all sorts of constraints. I had him try again
>> using a proper CA and it worked fine.
>>
>> We'd like to detect this at install time, I'm just not exactly sure
>> what the minimum requirements are. I also wonder if dogtag should be
>> doing this enforcement or if IPA should (or both, perhaps).
>>
>> Where should we start?
>>
>> rob
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
> The short answer is, at the minimum you need to have the Basic
> Constraints extension, but then you also need to have others like
> Authority Key Identifier. The key usage has to be right, etc. you
> can look up x509 rfc.
>
> Dogtag does have self test module to test the system certs when they
> are started. In the CA's case, it should report it if it's not a
> proper CA. I believe the test is on by default. You can look in
> CS.cfg for ca.cert.signing.nickname and make sure your new nickname is
> there ... you can also see the pairing
> ca.cert.signing.certusage=SSLCA, which is to tell the server that it
> is expected to be a CA cert, so that the server will report error and
> refuse to start if fails the test.
>
> Christina
>
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
It is always good to check RFC 5280 for guidelines:
http://www.ietf.org/rfc/rfc5280.txt
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20111022/35a69730/attachment.htm>
More information about the Pki-devel
mailing list