On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:
> Hi,
> 
> Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
> >On 05/04/2015 01:19 PM, Harald Dunkel wrote:
> >>Hi folks,
> >>
> >>Instead of a self-signed certificate I would like to use an external
> >>CA to sign freeipa's CSR ("ipa-server-install --external-ca").
> >>Question:
> >>
> >>Is pathlen:0, e.g.
> >>
> >>    basicConstraints=critical,CA:TRUE, pathlen:0
> >>
> >>sufficient for freeipa's CA certificate?
> >
> >I would say it should be sufficient for FreeIPA CA for now, given it does not
> >allow subordinate CAs. However, I am still CCing Fraser and Honza for
> >reference, in case there would be some limitation in Dogtag/our CA 
> >certificate
> >that would limit use of the basicConstraints extension.
> 
> I'm not aware of any.
> 
Yes, currently it is sufficient.  When FreeIPA has sub-CAs
capability, a pathLenConstraint of zero will prevent the creation of
valid sub-CAs.

Martin, Jan, this is a situation I had not considered.  I propose
that we should detect pathLenConstraint and error out if sub-CAs
creation is attempted at a depth that cannot be valid.  If you agree
I will add to design document.

Cheers,
Fraser

> >
> >Note that this basiConstrain would surely prevent you from using the upcoming
> >feature
> >
> >http://www.freeipa.org/page/V4/Sub-CAs
> >
> >but this is OK with you, I assume. BTW, Fraser, we should record a task to
> >properly watch for the pathlen limitation and have nice error messages around
> >it when admin attempts to use Sub-CAs.
> >
> >Final note, there is a related ticket:
> >https://fedorahosted.org/freeipa/ticket/3466
> >
> >Martin
> >
> 
> Honza
> 
> -- 
> Jan Cholasta

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to