Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

excessive extention usage on CA certificates #24

Open
necheffa opened this issue Sep 12, 2022 · 1 comment
Open

excessive extention usage on CA certificates #24

necheffa opened this issue Sep 12, 2022 · 1 comment
Assignees
@necheffa
Labels
invalid This doesn't seem right

Comments

@necheffa
Copy link
Collaborator

When GoCA generates a certificate authority (either root or intermediate) the TLS Web Client Authentication and TLS Web Server Authentication extensions are set. CA certificates should be limited to CA activities (Digital Signature, Certificate Sign, CRL Sign).

This behavior can be validated via visual inspection of a certificate with the OpenSSL command: openssl x509 -noout -text -in myca.crt
@necheffa necheffa added the invalid This doesn't seem right label Sep 12, 2022
@necheffa necheffa self-assigned this Oct 2, 2022
@necheffa
Copy link
Collaborator Author

necheffa commented Oct 2, 2022

cert.CreateCACert() appears to be where we setup the usage extensions for CA certificates. Should just be a matter of pruning excessive uses from the ExtKeyUsage and KeyUsage fields.

I want to do some more research to make sure our extension selection meets best practices and to design a test case or two.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@necheffa necheffa

Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@necheffa