Fix intermediate ca and add dns name constraints #309
Conversation
|
@bendbennett are you the right guy to approve the workflow and start the journey of getting this merged in? |
taliesins
force-pushed
the
fix_intermediate_ca
branch
from
53d082a
to
19a7016
Compare
|
@evanphx @hornbeck @dylanegan do you know who could approve the workflow for this? Its relatively small and makes a couple of cool use cases available. |
|
@bendbennett could you please approve the workflow and review this PR |
|
Hi @bendbennett @kmoe @apparentlymart @bflad @radeksimko How do I get someone to approve the workflow? This PR fixes a bug in a relatively common use case (Intermediate CA). Is this provider still an active project? |
|
Hi @taliesins 👋 I have approved the workflow but I'm afraid that reviewing this PR is currently on-hold as we need to triage the changes and our team’s focus is currently elsewhere at the moment. |
|
@bendbennett I am keeping this PR up to date. Honestly this shouldn't take someone more that an hour to get merged in. |
|
@bendbennett keeping this guy up to date. Using this update to the provider and a secret store I have successfully run private key infrastracture across AWS and EKS for shared services, non-production and production accounts. Being able to delegate Intermediate CAs to teams as I can limit the scope has helped a lot. Would be great if you could get someone to spare an hour to review this and merge it in |
|
Hi @taliesins 👋 Sorry for the delay in getting to this but I'm afraid that reviewing this PR is currently on-hold as we need to triage the changes and our team’s focus is currently elsewhere at the moment. |
|
@bendbennett Any chance to put limited focus on this one? It's a really useful change and the community would really appreciate it if this contribution would make it into the provider. As an open source maintainer I know that quality of PRs can differ quite a lot, but this one looks really rock solid to me. Well thought out changes, cleanly implemented and good test coverage. |
|
Hi @whiskeysierra 👋 Again, apologies for the delay. I have marked the issue for triage. We will discuss it at our next triage meeting and determine whether this can be prioritised. |
@bendbennett When is your next triage meeting scheduled? |
|
Nearly a year later... any update on this important and useful feature? |
|
@bendbennett let me know when you are going to consider this pr and I will fix the pr to pass the build. |
|
hi! anyfurther development on this? |
|
I could really do with this being fixed as well. |
Signed-off-by: Stéphane Este-Gracias <sestegra@gmail.com>
taliesins
force-pushed
the
fix_intermediate_ca
branch
from
55e45fc
to
cd8e745
Compare
|
@bendbennett could you approve the workflow again. I have pulled the latest changes into this branch. |
fix build failures
taliesins
force-pushed
the
fix_intermediate_ca
branch
from
cd8e745
to
8486b51
Compare
When creating an intermediate CA certificate we need to be able to set set_authority_key_id otherwise authority key id is excluded from certificate when creating an intermediate CA certificate, which causes problems for validation of chain as we don't know the parent certificate. This relates to issues reported in: #66 (a normal certificate does automaticaly set authority key id but intermediate does not.
Add support for certificate domain name certificate constraints. This is useful as we can limit the domains that people can issue domains for. Note: this verification is done on the client and it does not stop people from issuing an invalid certificate. To verify the client use https://bettertls.com/. Most modern browsers support it.
Also included #301 9f57550 for max length path. This is useful as we can prevent people from using the CA or intermediate CA from creating more intermediate CAs. Note: the verification is done on the client, see not for domain name constraints/