Re: [Pki-devel] What CA constraints?
On 10/21/2011 09:20 AM, Rob Crittenden wrote:
Shanks was testing signing an IPA CA cert request with an external CA
and found an issue, see https://fedorahosted.org/freeipa/ticket/2019
for full details.
In short the issue is the CA he did the signing with wasn't really a
full CA. It was lacking all sorts of constraints. I had him try again
using a proper CA and it worked fine.
We'd like to detect this at install time, I'm just not exactly sure
what the minimum requirements are. I also wonder if dogtag should be
doing this enforcement or if IPA should (or both, perhaps).
Where should we start?
rob
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
The short answer is, at the
minimum you need to have the Basic
Constraints extension, but then you also need to have others like
Authority Key Identifier. The key usage has to be right, etc. you can
look up x509 rfc.
Dogtag does have self test module to test the system certs when they are
started. In the CA's case, it should report it if it's not a proper
CA. I believe the test is on by default. You can look in CS.cfg for
ca.cert.signing.nickname and make sure your new nickname is there ...
you can also see the pairing ca.cert.signing.certusage=SSLCA, which is
to tell the server that it is expected to be a CA cert, so that the
server will report error and refuse to start if fails the test.
Christina
Attachments:
- smime.p7s (application/pkcs7-signature — 5.0 KB)