[Pki-devel] What CA constraints?

Friday, 21 October 2011

Shanks was testing signing an IPA CA cert request with an external CA 
and found an issue, see https://fedorahosted.org/freeipa/ticket/2019 for 
full details.

In short the issue is the CA he did the signing with wasn't really a 
full CA. It was lacking all sorts of constraints. I had him try again 
using a proper CA and it worked fine.

We'd like to detect this at install time, I'm just not exactly sure what 
the minimum requirements are. I also wonder if dogtag should be doing 
this enforcement or if IPA should (or both, perhaps).

Where should we start?

rob

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[Pki-devel] What CA constraints?