-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intermediate with OpenSSL: verify error:num=25:path length constraint exceeded #78
Comments
The intermediate isn't actually the problem here, it's the root: Certstrap generates roots with That seems confusing and is definitely not documented anywhere. Path length really ought to be a flag. |
By default when certstrap initializes a CA certificate it sets the `pathlen` X509v3 basic constraint to zero (0). This is correct if the CA will not be used in a certificate chain which includes intermediate certificates. Add a parameter to `certstrap init` to allow a user to override the `pathlen` constraint if they know that their CA will be used with intermediate certificates. By default the value is set to zero, leaving the behaviour the same as before this change if the parameter isn't overridden. c.f. https://tools.ietf.org/html/rfc5280#section-4.2.1.9 Example usage: ``` $ certstrap init -cn foo.example.com [...] $ openssl x509 -noout -text -in out/foo.example.com.crt [...] X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 [...] ``` ``` $ certstrap init -cn bar.example.com --path-length 1 [...] $ openssl x509 -noout -text -in out/bar.example.com.crt [...] X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 [...] ``` Fixes: square#78
I ran into this same thing, but I must be missing something. How has anybody ever made use of the --intermediate functionality if the maxpathlen of the root prevents it from working at all? |
By default when certstrap initializes a CA certificate it sets the `pathlen` X509v3 basic constraint to zero (0). This is correct if the CA will not be used in a certificate chain which includes intermediate certificates. Add a parameter to `certstrap init` to allow a user to override the `pathlen` constraint if they know that their CA will be used with intermediate certificates. By default the value is set to zero, leaving the behaviour the same as before this change if the parameter isn't overridden. c.f. https://tools.ietf.org/html/rfc5280#section-4.2.1.9 Example usage: ``` $ certstrap init -cn foo.example.com [...] $ openssl x509 -noout -text -in out/foo.example.com.crt [...] X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 [...] ``` ``` $ certstrap init -cn bar.example.com --path-length 1 [...] $ openssl x509 -noout -text -in out/bar.example.com.crt [...] X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 [...] ``` Fixes: square#78
Unfortunately PR #135 is still stalled with the remark "Code owner review required". @isemaya-square, as far as I can see you have recently merged two PRs. Is there a chance that the PR is reviewed? |
Could be a documentation issue - there is nothing in the README.md. I generated an Intermediate certificate using these steps:
I'm trying to debug it, but can't quite figure out what it this comment means:
Should I generate my Intermediate CA differently?
The text was updated successfully, but these errors were encountered: