On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. wrote:
> Hi all,
> Recently we needed to create a subordinate CA in FreeIPA and
> conveniently used the certificate profile feature in 4.2.0. For
> benefit of others, I have documented this in our blog,
> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/
> Any comments are appreciated.
> Summary of the profile is:
> *) Set the CA flag set to true
> *) Set the appropriate Key Usage constraint.
> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true
> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0
> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0
> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default
> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true
> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true
> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0
> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint
> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true
> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true
> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true
> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true
> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true
> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false
> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false
> We have verified the certs issued with Sub-CA are accepted in browsers
> where only the Root CA is set as trusted.
> -Kiran
Thank you for sharing, Kiran!

A future version of FreeIPA will support creating sub-CAs via a
native plugin and allow specifying the desired issuer as an argument
to `ipa cert-request' and `ipa-getcert request'.

Regarding EV: the list of supported EV policies is maintained by
browser vendors and validation includes matching the policy OID with
the expected issuer.  Accordingly, even with the right Dogtag
profile you would have to modify the browser (or, possibly, some
configuration that is read by the browser) to attain the green bar.
It is probably not worth the effort :)


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to