Re: [Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA
Hi Fraser, Thanks. I actually looked at your proposal. It certainly makes it easier. But hopefully the info we put in will help others in need. The EV bar - we are finishing up on a detailed analysis. In summary, its actually not possible to get green bar without recompiling Mozilla/Chrome (which makes it an impractical solution to work with for anything but very small networks). IE on the other hand is simpler if you have AD environment. -Kiran On Mon, Sep 21, 2015 at 7:54 PM, Fraser Tweedalewrote: > On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. > wrote: >> Hi all, >> Recently we needed to create a subordinate CA in FreeIPA and >> conveniently used the certificate profile feature in 4.2.0. For >> benefit of others, I have documented this in our blog, >> >> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/ >> >> Any comments are appreciated. >> >> Summary of the profile is: >> *) Set the CA flag set to true >> *) Set the appropriate Key Usage constraint. >> >> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true >> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0 >> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0 >> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl >> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default >> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true >> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true >> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0 >> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl >> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint >> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true >> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true >> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true >> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true >> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true >> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false >> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false >> >> We have verified the certs issued with Sub-CA are accepted in browsers >> where only the Root CA is set as trusted. >> >> -Kiran >> > Thank you for sharing, Kiran! > > A future version of FreeIPA will support creating sub-CAs via a > native plugin and allow specifying the desired issuer as an argument > to `ipa cert-request' and `ipa-getcert request'. > > Regarding EV: the list of supported EV policies is maintained by > browser vendors and validation includes matching the policy OID with > the expected issuer. Accordingly, even with the right Dogtag > profile you would have to modify the browser (or, possibly, some > configuration that is read by the browser) to attain the green bar. > It is probably not worth the effort :) > > Cheers, > Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA
Hi all, Recently we needed to create a subordinate CA in FreeIPA and conveniently used the certificate profile feature in 4.2.0. For benefit of others, I have documented this in our blog, http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/ Any comments are appreciated. Summary of the profile is: *) Set the CA flag set to true *) Set the appropriate Key Usage constraint. policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0 policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0 policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0 policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false We have verified the certs issued with Sub-CA are accepted in browsers where only the Root CA is set as trusted. -Kiran -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA
On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. wrote: > Hi all, > Recently we needed to create a subordinate CA in FreeIPA and > conveniently used the certificate profile feature in 4.2.0. For > benefit of others, I have documented this in our blog, > > http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/ > > Any comments are appreciated. > > Summary of the profile is: > *) Set the CA flag set to true > *) Set the appropriate Key Usage constraint. > > policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true > policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0 > policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0 > policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl > policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default > policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true > policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true > policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0 > policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl > policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint > policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true > policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true > policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true > policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false > policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false > policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false > policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true > policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true > policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false > policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false > > We have verified the certs issued with Sub-CA are accepted in browsers > where only the Root CA is set as trusted. > > -Kiran > Thank you for sharing, Kiran! A future version of FreeIPA will support creating sub-CAs via a native plugin and allow specifying the desired issuer as an argument to `ipa cert-request' and `ipa-getcert request'. Regarding EV: the list of supported EV policies is maintained by browser vendors and validation includes matching the policy OID with the expected issuer. Accordingly, even with the right Dogtag profile you would have to modify the browser (or, possibly, some configuration that is read by the browser) to attain the green bar. It is probably not worth the effort :) Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project