Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

section [ easyrsa_ca ] in openssl-easyrsa.cnf is ignored #1090

Closed
febs opened this issue Mar 12, 2024 · 6 comments
Closed

section [ easyrsa_ca ] in openssl-easyrsa.cnf is ignored #1090

febs opened this issue Mar 12, 2024 · 6 comments
Labels
X509-types x509-types and related

Comments

@febs
Copy link

febs commented Mar 12, 2024

Trying to alter the basicConstraint to set CA:TRUE as critical, as imposed by rfc5280 paragraph 4.2.1.9:

Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates.

the build_ca ignores what's in that section and generate a CA certificate that does not have the "critical" constraint. Also trying to forcefully set "CA:FALSE" is ignored, suggesting that the section is ignored as a whole.

If that is not the section actually used by build_ca to create a new CA, then what is it, and what is the purpose of the [ easyrsa_ca ] section then?

Many thanks for any clarification.

@TinCanTech
Copy link
Collaborator

Which version of Easy-RSA are you using ?

@febs
Copy link
Author

febs commented Mar 12, 2024

EasyRSA Version Information
Version: 3.1.7
Generated: Fri Oct 13 17:27:51 CDT 2023
SSL Lib: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Git Commit: 3c233d2
Source Repo: https://github.com/OpenVPN/easy-rsa

@TinCanTech
Copy link
Collaborator

Easy-RSA does not support basicConstraint critical at this time.

Work is being done here: #1063

Take a look in x509-types folder, you can make changes there.

@TinCanTech TinCanTech added the X509-types x509-types and related label Mar 12, 2024
@febs
Copy link
Author

febs commented Mar 13, 2024

Thanks for your reply.
I still don't get what the section named

[ easyrsa_ca ]

is for.

If that isn't used at all, may I suggest to remove it from the .cnf file altogether? It might cause confusion otherwise.

Thanks for your assistance,

@febs
Copy link
Author

febs commented Mar 13, 2024

Also, editing x509-types worked, so it is supported apparently.

Thank you,

@TinCanTech
Copy link
Collaborator

I still don't get what the section named

[ easyrsa_ca ]

is for.

It is used here:

# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
#%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
X509-types x509-types and related
Projects
None yet
Development

No branches or pull requests

2 participants