Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3707

Do not generate non-active XKMS and CMS certificates as it can violate name constraints

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.2.2
    • Component/s: None
    • Labels:
      None

      Description

      • A sub CA with "CN=Sub CA, O=PrimeKey,C=SE"
      • Sub CA certificate issued from (external) Root CA, Sub CA certificate has name constraints "OU= Domain Validated"

      The meaning of the name contraint is that end entity certificates from Sub CA must be "CN=foo,OU=Domain Validated".

      Currently it is not possible to import the Sub CA certificatebecause when you do that the Sub CA tries to generate a XKMS and CMS certificate that violates name constraints.

      The easy fix:

      • Do not generate XKMS and CMS certificates/keystores when these services are not active.

        Attachments

          Activity

            People

            Assignee:
            samuel Samuel Lidén Borell
            Reporter:
            tomas Tomas Gustavsson
            Verified by:
            Mike Agrenius Kushner
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: