Support name constraint extension for self-generated CA authority #5759
Comments
|
@maraino do you know if this is an option Smallstep supports? Haven't checked the API yet, wondering if you know.
We have forums: https://caddy.community, no need for another place for discussion. |
|
There seems to be some kind of support: But I don't know certificates and these extensions in enough detail to discern if this support is enough, or how much work it would be (or if it's even a good idea). |
|
@francislavoie: Yes, but you want the name constraints in the intermediate. |
|
Caddy supports a root and intermediate coming from the configuration. If the intermediate has name constraints, it should work automatically. But if you want this from the intermediate that Caddy generates, you will have to add the necessary attributes here: You can do it either in the template or directly in the template. The template is probably more straightforward for you. You will need to get the configuration values from the Caddyfile, so you will need to pass them as a new argument to But again, as this is also an edge case, you can document how to create a new root and intermediate with name constraints, and it will work. So, for example, with step, given a root certificate and key, you can sign an intermediate with the name constraints defined in a template like this ( {
"subject": {{ toJson .Subject }},
"keyUsage": ["certSign", "crlSign"],
"basicConstraints": {
"isCA": true,
"maxPathLen": 0
},
"nameConstraints": {
"critical": true,
"permittedDNSDomains": ["smallstep.com"]
}
}Running: step certificate create --ca root_ca.crt --ca-key root_ca_key --template nc.tpl \
'Smallstep Intermediate' intermediate_ca.crt intermediate_ca_keyPeople using name constraints should know what they exactly mean, as some cases are not obvious. For example, adding just |
|
Thanks @maraino! That helps! I'm clicking around through the code, and I'm noticing that there's nothing in https://github.com/smallstep/crypto/blob/c8a8532f869761ee64c8520ec4f1951a7865d161/x509util/templates.go for name constraints (and some other template fields) currently. Is it reasonable to ask that that's added? I think that would make the API more natural/resilient for us, by using exported consts or functions instead of hard-coding template keys in Caddy. |
With the second template, I meant the template variable in the code, not the template, signer, err := newCert(commonName, x509util.DefaultIntermediateTemplate, lifetime)
if err != nil {
return nil, nil, err
}
if len(config.PermittedDNSDomains) > 0 {
template.PermittedDNSDomainsCritical = true
template.PermittedDNSDomains = config.PermittedDNSDomains
}That assumes that config are configuration options in the Caddyfile. But you can also configure that template and do if conditions. |
We support name constraints in the template, The docs from above show that https://smallstep.com/docs/step-ca/templates/#adding-name-constraints But for your use case, it is probably better to do it like my previous comment, you can even allow users to define the |
|
Thanks for your wisdom and guidance as usual, @maraino 😊 |
When generating a CA cert via caddy and putting that in the trust store, those private keys can also forge certificates for any other domain.
We're only using this for
company.devand two other domains. Would be neat if we could tell Caddy to create a CA with name constraint extension, reducing the scope of its authority to only domains (and their subdomains) that we need it for.Just an idea, feel free to close this if it isn't relevant.
Also, I'd suggest enabling the "Discussions" tab on Github. Then you'd get fewer issues for ideas like this 😄
Background:
https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only
The text was updated successfully, but these errors were encountered: