Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Follow CAFB guidelines more closely? #22

Open
njsmith opened this issue Aug 7, 2017 · 3 comments
Open

Follow CAFB guidelines more closely? #22

njsmith opened this issue Aug 7, 2017 · 3 comments

Comments

@njsmith
Copy link
Member

njsmith commented Aug 7, 2017

There are a bunch of ways we aren't really following CAFB rules. Not sure how much it matters. But for example:

7.1.2.1 rules for root certificates:

  • SHOULD NOT set path_length
  • MUST include keyUsage
    • MUST be marked critical
    • MUST have keyCertSign and cRLSign set

7.1.4.3 CA certificates:

  • MUST have a common name, organization name, and country name

7.1.2.3 subscriber certificates:

  • MUST have certificatePolicies
  • MUST have extKeyUsage

We might have some RFC 5280 fails too, I haven't read it carefully.
@pquentin
Copy link
Member

There was some progress in #30 with fdcfbf8 (and 684854b):

  • keyUsage and extKeyUsage are now set.
  • however, path_length is now incorrectly set on root CAs, sorry about that.

@pquentin
Copy link
Member

Using a tool like https://github.com/globalsign/certlint could help!

@graingert
Copy link
Member

#328 sets EKU and KU now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pquentin @graingert @njsmith