Re: [Pki-devel] What CA constraints?

On 10/21/2011 09:20 AM, Rob Crittenden wrote: > Shanks was testing signing an IPA CA cert request with an external CA > and found an issue, see https://fedorahosted.org/freeipa/ticket/2019 > for full details. > > In short the issue is the CA he did the signing with wasn't really a > full CA. It was lacking all sorts of constraints. I had him try again > using a proper CA and it worked fine. > > We'd like to detect this at install time, I'm just not exactly sure > what the minimum requirements are. I also wonder if dogtag should be > doing this enforcement or if IPA should (or both, perhaps). > > Where should we start? > > rob > > _______________________________________________ > Pki-devel mailing list > Pki-devel(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel The short answer is, at the minimum you need to have the Basic Constraints extension, but then you also need to have others like Authority Key Identifier. The key usage has to be right, etc. you can look up x509 rfc. Dogtag does have self test module to test the system certs when they are started. In the CA's case, it should report it if it's not a proper CA. I believe the test is on by default. You can look in CS.cfg for ca.cert.signing.nickname and make sure your new nickname is there ... you can also see the pairing ca.cert.signing.certusage=SSLCA, which is to tell the server that it is expected to be a CA cert, so that the server will report error and refuse to start if fails the test. Christina _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel