Dne 15.5.2015 v 09:31 Martin Kosek napsal(a):
On 05/15/2015 09:22 AM, Fraser Tweedale wrote:
On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote:

Dne 5.5.2015 v 10:43 Martin Kosek napsal(a):
On 05/04/2015 01:19 PM, Harald Dunkel wrote:
Hi folks,

Instead of a self-signed certificate I would like to use an external
CA to sign freeipa's CSR ("ipa-server-install --external-ca").

Is pathlen:0, e.g.

    basicConstraints=critical,CA:TRUE, pathlen:0

sufficient for freeipa's CA certificate?

I would say it should be sufficient for FreeIPA CA for now, given it
does not
allow subordinate CAs. However, I am still CCing Fraser and Honza for
reference, in case there would be some limitation in Dogtag/our CA
that would limit use of the basicConstraints extension.

I'm not aware of any.

Yes, currently it is sufficient.  When FreeIPA has sub-CAs
capability, a pathLenConstraint of zero will prevent the creation of
valid sub-CAs.

Martin, Jan, this is a situation I had not considered.  I propose
that we should detect pathLenConstraint and error out if sub-CAs
creation is attempted at a depth that cannot be valid.  If you agree
I will add to design document.

I agree. Please also add a ticket for this part. The check can be IMO
added to FreeIPA 4.2.1, it is not critical for 4.2 GA.

I believe there would be other things to check as well, e.g. directoryName name constraints.

Note that this basiConstrain would surely prevent you from using the


but this is OK with you, I assume. BTW, Fraser, we should record a
task to
properly watch for the pathlen limitation and have nice error
messages around
it when admin attempts to use Sub-CAs.

Final note, there is a related ticket:



Jan Cholasta

Jan Cholasta

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to