Re: [Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA

[Silver Sky Soft Services, Inc.]

Hi Fraser,
Thanks. I actually looked at your proposal. It certainly makes it
easier. But hopefully the info we put in will help others in need.

The EV bar - we are finishing up on a detailed analysis. In summary,
its actually not possible to get green bar without recompiling
Mozilla/Chrome (which makes it an impractical solution to work with
for anything but very small networks). IE on the other hand is simpler
if you have AD environment.

-Kiran

On Mon, Sep 21, 2015 at 7:54 PM, Fraser Tweedale  wrote:
> On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. 
> wrote:
>> Hi all,
>> Recently we needed to create a subordinate CA in FreeIPA and
>> conveniently used the certificate profile feature in 4.2.0. For
>> benefit of others, I have documented this in our blog,
>>
>> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/
>>
>> Any comments are appreciated.
>>
>> Summary of the profile is:
>> *) Set the CA flag set to true
>> *) Set the appropriate Key Usage constraint.
>>
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0
>> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0
>> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
>> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default
>> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true
>> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true
>> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0
>> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
>> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint
>> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true
>> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false
>> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false
>>
>> We have verified the certs issued with Sub-CA are accepted in browsers
>> where only the Root CA is set as trusted.
>>
>> -Kiran
>>
> Thank you for sharing, Kiran!
>
> A future version of FreeIPA will support creating sub-CAs via a
> native plugin and allow specifying the desired issuer as an argument
> to `ipa cert-request' and `ipa-getcert request'.
>
> Regarding EV: the list of supported EV policies is maintained by
> browser vendors and validation includes matching the policy OID with
> the expected issuer.  Accordingly, even with the right Dogtag
> profile you would have to modify the browser (or, possibly, some
> configuration that is read by the browser) to attain the green bar.
> It is probably not worth the effort :)
>
> Cheers,
> Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Creating A Subordinate Certificate Authortity in FreeIPA

[Fraser Tweedale]

On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. wrote:
> Hi all,
> Recently we needed to create a subordinate CA in FreeIPA and
> conveniently used the certificate profile feature in 4.2.0. For
> benefit of others, I have documented this in our blog,
> 
> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/
> 
> Any comments are appreciated.
> 
> Summary of the profile is:
> *) Set the CA flag set to true
> *) Set the appropriate Key Usage constraint.
> 
> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true
> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0
> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0
> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl
> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default
> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true
> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true
> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0
> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint
> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true
> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true
> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true
> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false
> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true
> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true
> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false
> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false
> 
> We have verified the certs issued with Sub-CA are accepted in browsers
> where only the Root CA is set as trusted.
> 
> -Kiran
> 
Thank you for sharing, Kiran!

A future version of FreeIPA will support creating sub-CAs via a
native plugin and allow specifying the desired issuer as an argument
to `ipa cert-request' and `ipa-getcert request'.

Regarding EV: the list of supported EV policies is maintained by
browser vendors and validation includes matching the policy OID with
the expected issuer.  Accordingly, even with the right Dogtag
profile you would have to modify the browser (or, possibly, some
configuration that is read by the browser) to attain the green bar.
It is probably not worth the effort :)

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project