search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.62k stars 432 forks source link

Issue EV Certificates #1455

Open reesericci opened 1 year ago

reesericci commented 1 year ago

Hello!

Issue details

I'd like to see step-ca be able to issue Extended Validation (EV) certificates, so it can show the company name in the header.

Why is this needed?

It would allow websites with certs from the internal CA to signal trust to users that they are accessing an official organization website.

For example, Company A issues Computer A with their CA preinstalled. User B uses Computer A to access an internal company website with an EV cert. The browser would show the company name in the header which signals to the user they are accessing an official website instead of just "Secure" or a lock icon.

I don't think this is a security risk because a bad actor would have to pre-install the CA on a user's computer, in which case EV or not doesn't make a difference.

hslatman commented 1 year ago

Hey @reesericci,

I think there are no changes required in step-ca to issue certificates that would be considered "compatible with EV", as they're regular X.509 certificates with some specific data in them. If I'm correct, EV certificates need a certificate issuance policy OID set, and the systems that should consider the certificates to be EV certificates, should have the appropriate configuration, which includes knowing that OID.

Setting custom OIDs is possible using templates. One example of adding a custom OID is shown in https://smallstep.com/docs/step-ca/templates/#asn1-values. The configuration for Windows machines is described in https://richardjgreen.net/extended-validation-ev-internal-certificate-authority/, but other examples exist too. I haven't looked into what it needs on other platforms.

The above would be just about customizing the certificate contents. It doesn't include implementing logic that actually enforces the certificate policies. Enforcing the policy would be useful, but would take a considerable larger effort to implement correctly.

That said, Extended Validation certificates are losing their "security value", because browsers are increasingly removing special treatment for these certificates. See https://www.troyhunt.com/extended-validation-certificates-are-dead/ and https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/, for example.

reesericci commented 1 year ago

I think then just publishing some kind of example template for EV certs would be good, thanks for the insight.