On 10/21/2011 09:20 AM, Rob Crittenden wrote:
> Shanks was testing signing an IPA CA cert request with an external CA
> and found an issue, see
https://fedorahosted.org/freeipa/ticket/2019
> for full details.
>
> In short the issue is the CA he did the signing with wasn't really a
> full CA. It was lacking all sorts of constraints. I had him try again
> using a proper CA and it worked fine.
>
> We'd like to detect this at install time, I'm just not exactly sure
> what the minimum requirements are. I also wonder if dogtag should be
> doing this enforcement or if IPA should (or both, perhaps).
>
> Where should we start?
>
> rob
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-devel
The short answer is, at the minimum you need to have the Basic
Constraints extension, but then you also need to have others like
Authority Key Identifier. The key usage has to be right, etc. you
can look up x509 rfc.
Dogtag does have self test module to test the system certs when they
are started. In the CA's case, it should report it if it's not a
proper CA. I believe the test is on by default. You can look in
CS.cfg for ca.cert.signing.nickname and make sure your new nickname is
there ... you can also see the pairing
ca.cert.signing.certusage=SSLCA, which is to tell the server that it
is expected to be a CA cert, so that the server will report error and
refuse to start if fails the test.
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel