On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote: > Hi, > > Dne 5.5.2015 v 10:43 Martin Kosek napsal(a): > >On 05/04/2015 01:19 PM, Harald Dunkel wrote: > >>Hi folks, > >> > >>Instead of a self-signed certificate I would like to use an external > >>CA to sign freeipa's CSR ("ipa-server-install --external-ca"). > >>Question: > >> > >>Is pathlen:0, e.g. > >> > >> basicConstraints=critical,CA:TRUE, pathlen:0 > >> > >>sufficient for freeipa's CA certificate? > > > >I would say it should be sufficient for FreeIPA CA for now, given it does not > >allow subordinate CAs. However, I am still CCing Fraser and Honza for > >reference, in case there would be some limitation in Dogtag/our CA > >certificate > >that would limit use of the basicConstraints extension. > > I'm not aware of any. > Yes, currently it is sufficient. When FreeIPA has sub-CAs capability, a pathLenConstraint of zero will prevent the creation of valid sub-CAs.
Martin, Jan, this is a situation I had not considered. I propose that we should detect pathLenConstraint and error out if sub-CAs creation is attempted at a depth that cannot be valid. If you agree I will add to design document. Cheers, Fraser > > > >Note that this basiConstrain would surely prevent you from using the upcoming > >feature > > > >http://www.freeipa.org/page/V4/Sub-CAs > > > >but this is OK with you, I assume. BTW, Fraser, we should record a task to > >properly watch for the pathlen limitation and have nice error messages around > >it when admin attempts to use Sub-CAs. > > > >Final note, there is a related ticket: > >https://fedorahosted.org/freeipa/ticket/3466 > > > >Martin > > > > Honza > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project