Menu
▾
▴
Re: [Ejbca-develop] nameConstraints extension support in EJBCA
|
From: Arshad N. <ars...@st...> - 2012-05-25 16:35:53
|
Thank you, Anders; I will give this a shot. However, once I've added the custom extension to EJBCA, will EJBCA restrict the issuance of digital certificates based on the values in the constraint? That is, will it ensure that server SSL certificates are issued only to "strongauth.com" if the permitted sub-tree has such a restriction for DNS names? Arshad Noor StrongAuth, Inc. On 05/25/2012 12:46 AM, ejbca-support wrote: > Hi Arshad, > Name Constraints have indeed gotten more attention by the PKI > community lately. EJBCA can "as is" support NCs. However, there > is *currently* no GUI support; you have to provide the data as a > DER string. Fortunately this is not overly complex to create and > here is an example of such: > > Permitted > [1]Subtrees (0..Max): > RFC822 Na...@ex... > [2]Subtrees (0..Max): > Directory Address: > O=EXAMPLE > C=US > Excluded=None > > This is a Java program that creates the DER code which must be code into hex in > a custom extension using the NC OID: > > import org.bouncycastle.asn1.ASN1EncodableVector; > import org.bouncycastle.asn1.DERObjectIdentifier; > import org.bouncycastle.asn1.DERObject; > import org.bouncycastle.asn1.DERSequence; > import org.bouncycastle.asn1.DERTaggedObject; > import org.bouncycastle.asn1.DERUTF8String; > import org.bouncycastle.asn1.x509.GeneralName; > import org.bouncycastle.asn1.x509.X509Name; > > > import java.io.FileOutputStream; > > > public class KBBC > { > static ASN1EncodableVector v = new ASN1EncodableVector(); // this is the OtherName > static ASN1EncodableVector vec = new ASN1EncodableVector(); // this is the inner data > > static void addRFC822 (String rfc822name) throws Exception > { > vec.add (new DERSequence (new GeneralName(GeneralName.rfc822Name,rfc822name))); > } > > public static void main (String[] args) throws Exception > { > addRFC822 ("@example.com"); > vec.add (new DERSequence (new GeneralName(GeneralName.directoryName,new X509Name ("O=EXAMPLE,C=US")))); > v.add (new DERTaggedObject(false, 0, new DERSequence(vec))); > DERObject gn = new DERSequence (v); > FileOutputStream fos = new FileOutputStream (args[0]); > fos.write (gn.getDEREncoded ()); > fos.close (); > } > } > > > Regards, > Anders Rundgren > tech support > > > On 2012-05-24 22:14, Arshad Noor wrote: >> Hi, >> >> Not sure if I'm reading this correctly, but does EJBCA have support >> for issuing/understanding certificates with the nameConstraints (OID >> 2.5.29.30) extension in them, so it can only issue certificates that >> conform to the constraint? I don't see any reference to this >> constraint in its documentation. >> >> I did find an old e-mail that seems to indicate that PrimeKey does >> NOT recommend this extension: >> >> http://osdir.com/ml/java.ejbca.devel/2006-02/msg00092.html >> >> Unfortunately, because of all the problems recently with CAs being >> compromised, TTP CAs are now planning to enforce the use of this >> extension to limit their liability. However, the CA software must >> be able to support the use of the constraint and check all CSRs to >> see if the constraint is satisfied before issuing the certificate. >> I'm unable to find anything in EJBCA docs that indicate this is >> supported; can someone please provide some clarification? Thanks. >> >> Arshad Noor >> StrongAuth, Inc. >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
