search

openconfig / reference

This repository contains reference implementations, specifications and tooling related to OpenConfig-based network management.
Apache License 2.0
155 stars 88 forks source link

Regarding gnoi.cert CSRParams message #72

Open andaru opened 7 years ago

andaru commented 7 years ago

The CSRParams message in cert.proto makes no requirements for any CSR parameters to be set, either formally or informally.

Tooling such as openssl req ... doesn't appear to require any field to be set, either; as long as the subject starts with a slash.

However, one of the purposes of creating an x509v3 certificate is to assign an intended usage to the key.

While it appears to be valid to provide empty CSR parameters, would this be considered an operator mistake by some? Or is it common practice?

andaru commented 7 years ago

Relevant RFC section: https://tools.ietf.org/html/rfc5280#section-4.1.2.6

The answer from this appears to be maybe some fields are necessary; the target can be considered a CA if it's generating the signing request itself.