We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This issue was migrated from Pagure Issue #3179. Originally filed by dmoluguw (@SilleBille) on 2020-06-15 18:42:57:
While issuing a CA cert, Path Length constraint accept only -1 value.
-1
pki -c Secret.123 client-cert-request "cn=test" --profile caCACert
# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-review 41 --file ca-cert-pathlen.crt # vi ca-cert-pathlen.crt # cat ca-cert-pathlen.crt ~snip~ <policyAttribute name="basicConstraintsPathLen"> <Value>10</Value> <Descriptor> <Syntax>integer</Syntax> <Description>Path Length</Description> <DefaultValue>-1</DefaultValue> </Descriptor> </policyAttribute> ~snip~
# pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-approve 41 --input-file ca-cert-pathlen.crt BadRequestException: Request Max Path Length not matched Rejected - {1} # pki -d ~/.dogtag/pki-tomcat/ca/alias/ -n caadmin -c Secret.123 ca-cert-request-update 41 --input-file ca-cert-pathlen.crt BadRequestException: Request Max Path Length not matched Rejected - {1}
PS: The same behavior is observed when updating/approving request via web UI
NOTE: The following constraint message is displayed on both Web UI and CLI
This constraint accepts the Basic Constraint extension, if present, only when Criticality=true, Is CA=true, Min Path Length=-1, Max Path Length=-1
The text was updated successfully, but these errors were encountered:
Comment from dmoluguw (@SilleBille) at 2020-06-29 11:01:17
This seems to be working correctly after setting a positive value in CS.cfg..
positive
However, -1 "logically" refers to unlimited but, the system does not accept a positive value. Since there is a workaround, lowering the priority
Sorry, something went wrong.
Comment from dmoluguw (@SilleBille) at 2020-06-29 11:01:18
Metadata Update from @SilleBille:
No branches or pull requests
This issue was migrated from Pagure Issue #3179. Originally filed by dmoluguw (@SilleBille) on 2020-06-15 18:42:57:
Description
While issuing a CA cert, Path Length constraint accept only
-1
value.Steps to reproduce
pki -c Secret.123 client-cert-request "cn=test" --profile caCACert
PS: The same behavior is observed when updating/approving request via web UI
NOTE: The following constraint message is displayed on both Web UI and CLI
The text was updated successfully, but these errors were encountered: