Re: [Pki-devel] What CA constraints?
On 10/21/2011 09:50 PM, Rob Crittenden wrote:
Shanks was testing signing an IPA CA cert request with an external CA
and found an issue,
see https://fedorahosted.org/freeipa/ticket/2019 for full details.
In short the issue is the CA he did the signing with wasn't really a full CA. It was
lacking all sorts of constraints. I had him try again using a proper CA and it worked
fine.
Yeah, we were trying a trial and error using a self-signed CA with certutil w/o any
certificate constraints[1].
Side question:
Just curious, if we try with some of the constraints(-2 , -3, -4) using 'certutil,
'ipa-find' might've been successful? (though this might not be desired and use
a proper CA)
-2, -3, -4 as defined in the certutil usage page --
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
[1]
http://kashyapc.wordpress.com/2011/10/12/configuring-certificate-chaining...
We'd like to detect this at install time, I'm just not exactly sure what the
minimum
requirements are. I also wonder if dogtag should be doing this enforcement or if IPA
should (or both, perhaps).
Where should we start?
rob
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
--
/kashyap