Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermediate with OpenSSL: verify error:num=25:path length constraint exceeded #78

Open
jbwdevries opened this issue Jun 11, 2019 · 4 comments
Open

Intermediate with OpenSSL: verify error:num=25:path length constraint exceeded #78

jbwdevries opened this issue Jun 11, 2019 · 4 comments

Comments

@jbwdevries
Copy link

Could be a documentation issue - there is nothing in the README.md. I generated an Intermediate certificate using these steps:

./bin/certstrap-master-linux-amd64 init --common-name "Unit Test Server Root CA" --key-bits 1024 --expires "100 years"

./bin/certstrap-master-linux-amd64 request-cert --common-name "Unit Test Server Intermediate CA" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Root CA" --intermediate "Unit Test Server Intermediate CA"

./bin/certstrap-master-linux-amd64 request-cert --common-name "localhost" --ip "127.0.0.1" --domain "localhost" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Intermediate CA" "localhost"

I'm trying to debug it, but can't quite figure out what it this comment means:

// Not allow any non-self-issued intermediate CA, sets MaxPathLen=0

Should I generate my Intermediate CA differently?
@mcpherrinm
Copy link
Contributor

The intermediate isn't actually the problem here, it's the root:

Certstrap generates roots with pathlen:0, which can't be used to sign intermediates. We don't put a pathlen on intermediates though....

That seems confusing and is definitely not documented anywhere. Path length really ought to be a flag.

agy pushed a commit to agy/certstrap that referenced this issue Aug 11, 2020
Add support for setting pathlen on CA certificates
4f86a9b 
By default when certstrap initializes a CA certificate it sets the
`pathlen` X509v3 basic constraint to zero (0). This is correct if the CA
will not be used in a certificate chain which includes intermediate
certificates.

Add a parameter to `certstrap init` to allow a user to override the
`pathlen` constraint if they know that their CA will be used with
intermediate certificates. By default the value is set to zero, leaving
the behaviour the same as before this change if the parameter isn't
overridden.

c.f. https://tools.ietf.org/html/rfc5280#section-4.2.1.9

Example usage:

```
$ certstrap init -cn foo.example.com
[...]
$ openssl x509 -noout -text -in out/foo.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
[...]
```

```
$ certstrap init -cn bar.example.com --path-length 1
[...]
$ openssl x509 -noout -text -in out/bar.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
[...]
```

Fixes: square#78
@agy agy mentioned this issue Aug 11, 2020
Closed
@antong
Copy link

antong commented Sep 28, 2020

I ran into this same thing, but I must be missing something. How has anybody ever made use of the --intermediate functionality if the maxpathlen of the root prevents it from working at all?

tmick0 pushed a commit to tmick0/certstrap that referenced this issue Dec 9, 2021
@tmick0
Add support for setting pathlen on CA certificates
e7d8271 
By default when certstrap initializes a CA certificate it sets the
`pathlen` X509v3 basic constraint to zero (0). This is correct if the CA
will not be used in a certificate chain which includes intermediate
certificates.

Add a parameter to `certstrap init` to allow a user to override the
`pathlen` constraint if they know that their CA will be used with
intermediate certificates. By default the value is set to zero, leaving
the behaviour the same as before this change if the parameter isn't
overridden.

c.f. https://tools.ietf.org/html/rfc5280#section-4.2.1.9

Example usage:

```
$ certstrap init -cn foo.example.com
[...]
$ openssl x509 -noout -text -in out/foo.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
[...]
```

```
$ certstrap init -cn bar.example.com --path-length 1
[...]
$ openssl x509 -noout -text -in out/bar.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
[...]
```

Fixes: square#78
@VeitSanner
Copy link

It would be really helpful, if the path length constraint is fixed. Otherwise intermediate CAs are not really working, because if the root CA is used to sign an intermediate CA. The certificates issued by the intermediate CA are invalid.

@jdtw, could you please look at PR #135.

@VeitSanner
Copy link

Unfortunately PR #135 is still stalled with the remark "Code owner review required".

@isemaya-square, as far as I can see you have recently merged two PRs. Is there a chance that the PR is reviewed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for setting pathlen on CA certificates agy/certstrap
4 participants
@mcpherrinm @antong @VeitSanner @jbwdevries