-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove AIA extension from root CA signing cert #4434
Conversation
The bootstrap caCert.profile has been modified such that root CA signing certs will no longer have an AIA extension. The regular CA signing cert profiles have not been modified so sub CA signing certs will continue to have an AIA extension.
Some CI tests have been updated to validate the AIA extension removal from root CA signing certs. The test-ca-signing-cert-ext.sh has been modified to verify that there's no AIA extensions in root CA signing cert. The test-subca-signing-cert-ext.sh has been modified to check for an AIA extension in sub CA signing cert pointing to the root CA's OCSP responder. A new test-ms-subca-signing-cert-ext.sh has been added as a copy of the original test-subca-signing-cert-ext.sh to check for MS sub CA extensions.
Kudos, SonarCloud Quality Gate passed! |
sed -En '1N;$!N;s/^ *(1.3.6.1.4.1.311.20.2: .*)\n *(.*)\n *(.*)/\1\n\2\n\3/p;D' output | tee actual | ||
# verify there is an AIA extension pointing to root CA's OCSP responsder | ||
echo "Authority Information Access: " > expected | ||
echo "OCSP - URI:http://root.example.com:8080/ca/ocsp" >> expected |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok here. Just want to point out that if the root CA has an external OCSP setup, and its ca.defaultOcspUri (in CS.cfg) is set to point to the external OCSP then all the certs signed by the ca will have AIA pointing to the value of ca.defaultOcspUri.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, we don't have any tests for ca.defaultOcspUri
in upstream CI right now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@ladycfu Thanks! I'll merge this to the |
The bootstrap
caCert.profile
has been modified such that root CA signing certs will no longer have an AIA extension. The regular CA signing cert profiles have not been modified so sub CA signing certs will continue to have an AIA extension.Some CI tests have been updated to validate the AIA extension removal from root CA signing certs.
The
test-ca-signing-cert-ext.sh
has been modified to verify that there's no AIA extensions in root CA signing cert.The
test-subca-signing-cert-ext.sh
has been modified to check for an AIA extension in sub CA signing cert pointing to the root CA's OCSP responder.A new
test-ms-subca-signing-cert-ext.sh
has been added as a copy of the originaltest-subca-signing-cert-ext.sh
to check for MS sub CA extensions.Test results:
Notes:
caCert.profile
may need to be cherry-picked intov10.13
branch.