The CA certificate generation process doesn't mark the CA:true extension as critical #1073

Closed
deyanstoykov opened this Issue Jun 26, 2015 · 0 comments

Projects

None yet

1 participant

@deyanstoykov

A CA certificate generated by the scripts and OpenSSL config files shipped with FreeRADIUS contains the CA:true constraint, but it is not marked as critical as required by RFC5280.

Conforming CAs MUST include this extension in all CA certificates
that contain public keys used to validate digital signatures on
certificates and MUST mark the extension as critical in such
certificates. "

In order for this to be fixed, ca.cnf should contain

basicConstraints = critical,CA:true

instead of

basicConstraints = CA:true

Although the auto-generated certificates are not meant for productions use, the default config files shipped with FreeRADIUS are sometimes used (after customization) for establishment of a private CA for 802.1x purposes only,

While we haven't yet noticed any supplicants to be affected by this, it could cause problems in the future should the developers of TLS libraries decide to follow standards more strictly.

@deyanstoykov deyanstoykov changed the title from The certificate templates don't mark the CA:true extension as critical to The CA certificate generation process doesn't mark the CA:true extension as critical Jun 30, 2015
@alandekok alandekok closed this in 6c6bf32 Jun 30, 2015
@gizmoguy gizmoguy added a commit to gizmoguy/freeradius-server that referenced this issue Jul 1, 2015
@alandekok @gizmoguy alandekok + gizmoguy Set CA basic constraints to "critical". Fixes #1073 4a6e285
@gizmoguy gizmoguy added a commit to gizmoguy/freeradius-server that referenced this issue Jul 1, 2015
@alandekok @gizmoguy alandekok + gizmoguy Set CA basic constraints to "critical". Fixes #1073 d193f8f
@arr2036 arr2036 added a commit to arr2036/freeradius-server that referenced this issue Jul 15, 2015
@alandekok @arr2036 alandekok + arr2036 Set CA basic constraints to "critical". Fixes #1073 7b805ff
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment