Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1427798
Description of problem: When you create a new certificate request using ipa-cacert-manage, the CSR contains a "X509v3 Basic Constraints" attribute "CA" which is set to "FALSE". Based on RFC2986, the "certification request information" part of the CSR contains a subject distinguished name, a subject public key and optionally a set of attributes. It's not clear to me why the value of the "CA" attribute is set to "FALSE". IMHO the CSR which is created should supply some information about the intended use case of the certificate. We do need the signing CA to delegate CA authority to the new CA certificate. To do this, a proper CA profile has to be used to sign the CSR. While we use the string "CN=Certificate Authority" in the Subject DN, the attribute "CA" set to "FALSE" might give a wrong impression that this cert will be used for an end entity. I would recommend to change the attribute value to "TRUE". Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1427798
Metadata Update from @pvoborni: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/963
master:
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Don't we need to backport this to 4.5?
That is what I got out of the triage. Would need to be backported to 4.6 as well in that case.
pr 963 was pushed during August, 4.6 was released after. It so no need to backport to 4.6 - it should be already there.
4.5 backport: https://github.com/freeipa/freeipa/pull/1217
ipa-4-5:
Log in to comment on this ticket.