#7088 Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR
Closed: fixed 7 years ago Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1427798

Description of problem:
When you create a new certificate request using ipa-cacert-manage, the CSR
contains a "X509v3 Basic Constraints" attribute "CA" which is set to "FALSE".

Based on RFC2986, the "certification request information" part of the CSR
contains a subject distinguished name, a subject public key and optionally a
set of attributes.

It's not clear to me why the value of the "CA" attribute is set to "FALSE".
IMHO the CSR which is created should supply some information about the intended
use case of the certificate. We do need the signing CA to
delegate CA authority to the new CA certificate. To do this, a proper CA
profile has to be used to sign the CSR.

While we use the string "CN=Certificate Authority" in the Subject DN, the
attribute "CA" set to "FALSE" might give a wrong impression that this cert will
be used for an end entity.

I would recommend to change the attribute value to "TRUE".

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1427798

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1427798

7 years ago

Metadata Update from @pvoborni:
- Issue assigned to rcritten

7 years ago

master:

  • a37e905 Include the CA basic constraint in CSRs when renewing a CA

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Don't we need to backport this to 4.5?

That is what I got out of the triage. Would need to be backported to 4.6 as well in that case.

pr 963 was pushed during August, 4.6 was released after. It so no need to backport to 4.6 - it should be already there.

ipa-4-5:

  • cae3e59 Include the CA basic constraint in CSRs when renewing a CA

Log in to comment on this ticket.

Metadata