Hi Fraser, Thanks. I actually looked at your proposal. It certainly makes it easier. But hopefully the info we put in will help others in need.
The EV bar - we are finishing up on a detailed analysis. In summary, its actually not possible to get green bar without recompiling Mozilla/Chrome (which makes it an impractical solution to work with for anything but very small networks). IE on the other hand is simpler if you have AD environment. -Kiran On Mon, Sep 21, 2015 at 7:54 PM, Fraser Tweedale <[email protected]> wrote: > On Mon, Sep 21, 2015 at 06:44:30PM -0700, Silver Sky Soft Services, Inc. > wrote: >> Hi all, >> Recently we needed to create a subordinate CA in FreeIPA and >> conveniently used the certificate profile feature in 4.2.0. For >> benefit of others, I have documented this in our blog, >> >> http://silverskysoft.com/open-stack-xwrpr/2015/09/creating-a-subordinate-certificate-authortity-in-freeipa/ >> >> Any comments are appreciated. >> >> Summary of the profile is: >> *) Set the CA flag set to true >> *) Set the appropriate Key Usage constraint. >> >> policyset.caSubCertSet.5.constraint.params.basicConstraintsIsCA=true >> policyset.caSubCertSet.5.constraint.params.basicConstraintsMinPathLen=0 >> policyset.caSubCertSet.5.constraint.params.basicConstraintsMaxPathLen=0 >> policyset.caSubCertSet.5.default.class_id=basicConstraintsExtDefaultImpl >> policyset.caSubCertSet.5.default.name=Basic Constraints Extension Default >> policyset.caSubCertSet.5.default.params.basicConstraintsCritical=true >> policyset.caSubCertSet.5.default.params.basicConstraintsIsCA=true >> policyset.caSubCertSet.5.default.params.basicConstraintsPathLen=0 >> policyset.caSubCertSet.6.constraint.class_id=keyUsageExtConstraintImpl >> policyset.caSubCertSet.6.constraint.name=Key Usage Extension Constraint >> policyset.caSubCertSet.6.constraint.params.keyUsageCritical=true >> policyset.caSubCertSet.6.constraint.params.keyUsageDigitalSignature=true >> policyset.caSubCertSet.6.constraint.params.keyUsageNonRepudiation=true >> policyset.caSubCertSet.6.constraint.params.keyUsageDataEncipherment=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyEncipherment=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyAgreement=false >> policyset.caSubCertSet.6.constraint.params.keyUsageKeyCertSign=true >> policyset.caSubCertSet.6.constraint.params.keyUsageCrlSign=true >> policyset.caSubCertSet.6.constraint.params.keyUsageEncipherOnly=false >> policyset.caSubCertSet.6.constraint.params.keyUsageDecipherOnly=false >> >> We have verified the certs issued with Sub-CA are accepted in browsers >> where only the Root CA is set as trusted. >> >> -Kiran >> > Thank you for sharing, Kiran! > > A future version of FreeIPA will support creating sub-CAs via a > native plugin and allow specifying the desired issuer as an argument > to `ipa cert-request' and `ipa-getcert request'. > > Regarding EV: the list of supported EV policies is maintained by > browser vendors and validation includes matching the policy OID with > the expected issuer. Accordingly, even with the right Dogtag > profile you would have to modify the browser (or, possibly, some > configuration that is read by the browser) to attain the green bar. > It is probably not worth the effort :) > > Cheers, > Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
