Dne 15.5.2015 v 09:31 Martin Kosek napsal(a):
On 05/15/2015 09:22 AM, Fraser Tweedale wrote:
On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:
Hi,

Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
On 05/04/2015 01:19 PM, Harald Dunkel wrote:
Hi folks,

Instead of a self-signed certificate I would like to use an external
CA to sign freeipa's CSR ("ipa-server-install --external-ca").
Question:

Is pathlen:0, e.g.

    basicConstraints=critical,CA:TRUE, pathlen:0

sufficient for freeipa's CA certificate?

I would say it should be sufficient for FreeIPA CA for now, given it
does not
allow subordinate CAs. However, I am still CCing Fraser and Honza for
reference, in case there would be some limitation in Dogtag/our CA
certificate
that would limit use of the basicConstraints extension.

I'm not aware of any.

Yes, currently it is sufficient.  When FreeIPA has sub-CAs
capability, a pathLenConstraint of zero will prevent the creation of
valid sub-CAs.

Martin, Jan, this is a situation I had not considered.  I propose
that we should detect pathLenConstraint and error out if sub-CAs
creation is attempted at a depth that cannot be valid.  If you agree
I will add to design document.

I agree. Please also add a ticket for this part. The check can be IMO
added to FreeIPA 4.2.1, it is not critical for 4.2 GA.

I believe there would be other things to check as well, e.g. directoryName name constraints.


Note that this basiConstrain would surely prevent you from using the
upcoming
feature

http://www.freeipa.org/page/V4/Sub-CAs

but this is OK with you, I assume. BTW, Fraser, we should record a
task to
properly watch for the pathlen limitation and have nice error
messages around
it when admin attempts to use Sub-CAs.

Final note, there is a related ticket:
https://fedorahosted.org/freeipa/ticket/3466

Martin


Honza

--
Jan Cholasta



--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to