lawndoc
commented
2 years ago Looks like this is related to PR #70, once that gets merged we'll have you try again. Or you can clone the forked repo if you want to test before it's merged.
Open ElishaAz opened 2 years ago
lawndoc
commented
2 years ago Looks like this is related to PR #70, once that gets merged we'll have you try again. Or you can clone the forked repo if you want to test before it's merged.
GoodiesHQ
commented
2 years ago I solved this by modifying two functions.
The issue is in ca_sign_csr , specifically this part is unconditional and always sets ca=True, which is not desirable:
certificate = certificate.add_extension(
x509.BasicConstraints(ca=True, path_length=None),
critical=True,
)The way I solved it is by adding a parameter called ca to the functions ca_sign_csr in certs.py and also issue_certificate in ownca.py.
This is what issue_certificate signature looks like:
def issue_certificate(
self,
hostname,
maximum_days=825,
common_name=None,
dns_names=None,
oids=None,
public_exponent=65537,
key_size=2048,
ca=False,
):Then the call to issue_csr within that function looks like this:
csr = issue_csr(
key=key_data.key,
common_name=common_name,
dns_names=dns_names,
oids=oids,
ca=ca, # this line was added
)The signature to issue_csr now looks like this:
def issue_csr(key=None, common_name=None, dns_names=None, oids=None, ca=False):Then the line in that function which sets the basic constraints is changed here:
csr_builder = csr_builder.add_extension(
x509.BasicConstraints(ca=ca, path_length=None), critical=False
)A bit tedious, but it worked like a charm.
Mozilla does not trust an end certificate with a
basicConstraintsextension with the valuecA: TRUESee: https://stackoverflow.com/a/59739121/8110579
Perhaps make it an optional argument?