Hi Fraser,
Thanks. I actually looked at your proposal. It certainly makes it
easier. But hopefully the info we put in will help others in need.

The EV bar - we are finishing up on a detailed analysis. In summary,
its actually not possible to get green bar without recompiling
Mozilla/Chrome (which makes it an impractical solution to work with
for anything but very small networks). IE on the other hand is simpler
if you have AD environment.


On Mon, Sep 21, 2015 at 7:54 PM, Fraser Tweedale <ftwee...@redhat.com> wrote:
> On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. 
> wrote:
>> Hi all,
>> Recently we needed to create a subordinate CA in FreeIPA and
>> conveniently used the certificate profile feature in 4.2.0. For
>> benefit of others, I have documented this in our blog,
>> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/
>> Any comments are appreciated.
>> Summary of the profile is:
>> *) Set the CA flag set to true
>> *) Set the appropriate Key Usage constraint.
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0
>> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
>> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default
>> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true
>> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true
>> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0
>> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
>> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint
>> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false
>> We have verified the certs issued with Sub-CA are accepted in browsers
>> where only the Root CA is set as trusted.
>> -Kiran
> Thank you for sharing, Kiran!
> A future version of FreeIPA will support creating sub-CAs via a
> native plugin and allow specifying the desired issuer as an argument
> to `ipa cert-request' and `ipa-getcert request'.
> Regarding EV: the list of supported EV policies is maintained by
> browser vendors and validation includes matching the policy OID with
> the expected issuer.  Accordingly, even with the right Dogtag
> profile you would have to modify the browser (or, possibly, some
> configuration that is read by the browser) to attain the green bar.
> It is probably not worth the effort :)
> Cheers,
> Fraser

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to