Closed kebugcheckex closed 2 years ago
necheffa
commented
2 years ago This looks like a genuine bug. In the CA.create() method we handle the root CA as a special case, setting the appropriate constraint. And this is missing when generating an intermediate CA.
kebugcheckex
commented
2 years ago I made some attempts to fix this issue but ran into some difficutlies with the current code architecture.
According to x509 package docs,
The certificate is signed by parent. If parent is equal to template then the certificate is self-signed. The parameter pub is the public key of the certificate to be generated and priv is the private key of the signer.
I was trying to add a parameter to CreateRootCert in cert.go that identifies the parent certificate. If this param is not empty, it indicates that we are creating an intermediate CA signed by a parent CA. However, the code quickly got messy as I tried to refactor the logic. The fundamental issue here is that using the x509 package, it doesn't need a CSR for the parent CA to sign the intermediate CA's certificate. It is done automatically inside the CreateCertificate function.
Does anyone have any better ideas on how to fix this issue?
necheffa
commented
2 years ago This issue was fixed as part of PR #25. Closing.
Here's roughly what I did
intermediate: true. Now the ICA is pending certificateHowever, when I try to import both the root CA and the intermediate CA into my browser, the browser says the intermediate CA is not a certificate authority.
So I checked the intermediate CA certificate, using
openssl x509 intermediate-ca.crt -noout -text, I don't see the following lineI also inspected the code. It seems that when
intermediateis set totrue, it creates a CSR. In theCreateCSRfunction, nothing is setting theIsCAfield.Is this a bug or did I do something wrong?
Thanks.