Comments (4)
mcpherrinm
commented on September 27, 2024
2
The intermediate isn't actually the problem here, it's the root:
Certstrap generates roots with pathlen:0, which can't be used to sign intermediates. We don't put a pathlen on intermediates though....
That seems confusing and is definitely not documented anywhere. Path length really ought to be a flag.
from certstrap.
VeitSanner
commented on September 27, 2024
2
It would be really helpful, if the path length constraint is fixed. Otherwise intermediate CAs are not really working, because if the root CA is used to sign an intermediate CA. The certificates issued by the intermediate CA are invalid.
@jdtw, could you please look at PR #135.
from certstrap.
antong
commented on September 27, 2024
1
I ran into this same thing, but I must be missing something. How has anybody ever made use of the --intermediate functionality if the maxpathlen of the root prevents it from working at all?
from certstrap.
VeitSanner
commented on September 27, 2024
1
Unfortunately PR #135 is still stalled with the remark "Code owner review required".
@isemaya-square, as far as I can see you have recently merged two PRs. Is there a chance that the PR is reviewed?
from certstrap.
Related Issues (20)
- Certificate expiry clarity HOT 1
- Golang 1.17 broke Tests with crypto/x509
- x509.(Encrypt|Decrypt)PEMBlock have been deprecated
- Failed to create certificate HOT 2
- certstrap arm64/aarch64 release
- Certstrap allows looser permissions but not stricter, which can lead to security issues HOT 1
- Default permissions too open HOT 3
- created files not available from docker-instance HOT 1
- Get CA key error: permission denied HOT 7
- Get certificate request error: permission denied HOT 4
- build github.com/square/certstrap: cannot load io/fs: malformed module path "io/fs": missing dot in first path element HOT 3
- Unable to create ECDSA-based (curve) CA using example from docs HOT 2
- Build new release that matches docs HOT 2
- Crypto Go :we are a research group to help developers build secure applications. HOT 1
- Get CA certificate error: permissions too lax for cert.crt: required no more than -r--r--r--, found -r-xr-xr-x HOT 1
- Why the serial number for init commands is 01
- Allow complete customized of common name with new switch
- Question on decrypting EC private keys HOT 2
- Certs Failing on Ubuntu 22.04
- User messaging is incorrect for certstrap sign when using the --cert flag
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certstrap.