Re: restricting the scope of CA certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/03/2016 01:52 PM, Nikos Mavrogiannopoulos wrote:
On Fri, 2016-06-03 at 10:24 +0200, Florian Weimer wrote:
On 06/03/2016 09:13 AM, Nikos Mavrogiannopoulos wrote:

If you are of the types who like tinkering, here is a way to
restrict
CA certificates in your Fedora on specific domains. Currently
limited
to gnutls applications.

http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates
.html
Is there also a way to do the opposite, that is, list which CAs are
permitted to issue certificates for certain parts of the DNS tree?

If your question is whether it is doable, then the answer is yes. One
would need to traverse all existing certificates in the trust module
and use the name constraints extension. In terms of gnutls API you'd
probably like to use call gnutls_x509_crt_import_url() with
the GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT flag on all the
certificate objects in the trust module, and sort their name
constraints. There is no tool for that though.

Sorry, I didn't realize that my question was worded ambiguously.

Let me rephrase it: Is it possible to express that only the Red Hat internal CA may issue certificates under *.corp.redhat.com, and no other CAs may issue certificates for this subtree?

Thanks,
Florian
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux