On 05/15/2015 09:22 AM, Fraser Tweedale wrote:
On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:

Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
On 05/04/2015 01:19 PM, Harald Dunkel wrote:
Hi folks,

Instead of a self-signed certificate I would like to use an external
CA to sign freeipa's CSR ("ipa-server-install --external-ca").

Is pathlen:0, e.g.

        basicConstraints=critical,CA:TRUE, pathlen:0

sufficient for freeipa's CA certificate?

I would say it should be sufficient for FreeIPA CA for now, given it does not
allow subordinate CAs. However, I am still CCing Fraser and Honza for
reference, in case there would be some limitation in Dogtag/our CA certificate
that would limit use of the basicConstraints extension.

I'm not aware of any.

Yes, currently it is sufficient.  When FreeIPA has sub-CAs
capability, a pathLenConstraint of zero will prevent the creation of
valid sub-CAs.

Martin, Jan, this is a situation I had not considered.  I propose
that we should detect pathLenConstraint and error out if sub-CAs
creation is attempted at a depth that cannot be valid.  If you agree
I will add to design document.

I agree. Please also add a ticket for this part. The check can be IMO added to FreeIPA 4.2.1, it is not critical for 4.2 GA.

Note that this basiConstrain would surely prevent you from using the upcoming


but this is OK with you, I assume. BTW, Fraser, we should record a task to
properly watch for the pathlen limitation and have nice error messages around
it when admin attempts to use Sub-CAs.

Final note, there is a related ticket:



Jan Cholasta

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to