FreeIPA's cert profile for end entity certs does not include a BasicConstraints field. EE certs have AKID, SKID, AIA for OCSP, KU, EKU, CRL DP, and SAN. Although BC is optional in CAB baseline requirements, it is pretty standard to have a CA:FALSE;critical extension in EE certs. I checked multiple certs from Let's Encrypt, DigiCert, GeoTrust and other public CAs. All EE certs had the BC extension.
CA:FALSE;critical
BasicConstraint CA:FALSE is also a requirement for SPIFFE SVID certs, https://github.com/spiffe/svid/blob/master/SPECIFICATION.md
BasicConstraint CA:FALSE
Therefore I propose to include a BasicConstraints: CA:FALSE;critical extension in all profile that generate EE certs.
BasicConstraints: CA:FALSE;critical
Baseline Requirements, v. 1.4.5, section 7.1.2.3. Subscriber Certificate:
d. basicConstraints (optional) The cA field MUST NOT be true.
I don't think we need to do this. It can be configured per-profile after all, and there's no problem with the default profile configuration.
closing per triage on Jul 25
Metadata Update from @pvoborni: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.