Sascha Ziemann <[EMAIL PROTECTED]> writes: > Hi, > > is it possible to specify the maximum certification path length in a > configuration file for certtool? Internet explorer reports the path > length of certificates made by certtool as unlimited. > > I have a Root CA, which signs an Issuer CA, and an Issuer CA , which > signs client and server certificates. I would like to restrict the path > length of the Root CA to two and the path length of the issuer CA to one > in order to avoid any hacks made with the client or server certificates.
Hi! This is not possible today, but I implemented this in CVS. Thanks for the suggestion! You can try CVS now, or tomorrow's daily snapshot. Please let me know if/how it works. Here are the NEWS entries: ** Certtool now print the value of the pathLenConstraints field for certs. ** Certtool now query for path length constraints when generating CA certs. For batch uses, the certtool configuration name is "path_len". Suggested by Sascha Ziemann <[EMAIL PROTECTED]>. ** Add new API to get/set pathLenConstraint in the Basic Constraints. The new functions gnutls_x509_crt_get_basic_constraints and gnutls_x509_crt_set_basic_constraints provide a superset of the functionality in the old gnutls_x509_crt_get_ca_status and gnutls_x509_crt_set_ca_status (respectively), but the old functions will continue to be supported. ** API and ABI modifications: gnutls_x509_crt_get_basic_constraints: ADD. gnutls_x509_crt_set_basic_constraints: ADD. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
