Mailing List Archive

From:: Lloyd <ng2d68@proton.me>
Subject:: ikectl(8) CERTPATHLEN value
To:: "tech@openbsd.org" <tech@openbsd.org>
Date:: Wed, 29 Jan 2025 20:32:29 +0000

Download raw body.

Thread

2025-01-29 20:32 Lloyd:
ikectl(8) CERTPATHLEN value
- 2025-01-29 21:10 Stuart Henderson:
  ikectl(8) CERTPATHLEN value
- - 2025-01-29 21:54 Lloyd:
    ikectl(8) CERTPATHLEN value

The "ikectl ca" command is used to create a simple one-tier CA for
use with iked(8). However, the default config creates a root cert
with path length = 1, which allows the issuance of intermediate CA
certificates below this root. Since the intent of this simple CA is
to only issue end-entity certs by means of ikectl(8) commands, the
value of CERTPATHLEN should be set to 0 in the template.

Index: ikeca.cnf
===================================================================
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.cnf,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 ikeca.cnf
--- ikeca.cnf	17 Nov 2023 14:43:36 -0000	1.10
+++ ikeca.cnf	29 Jan 2025 20:17:41 -0000
@@ -9,7 +9,7 @@ CERT_CN			=
 CERT_EMAIL		= reyk@openbsd.org
 
 # default settings
-CERTPATHLEN		= 1
+CERTPATHLEN		= 0
 CERTUSAGE		= digitalSignature,keyCertSign,cRLSign
 EXTCERTUSAGE		= serverAuth,clientAuth
 CERTIP			= 0.0.0.0

2025-01-29 20:32 Lloyd:
ikectl(8) CERTPATHLEN value
- 2025-01-29 21:10 Stuart Henderson:
  ikectl(8) CERTPATHLEN value
- - 2025-01-29 21:54 Lloyd:
    ikectl(8) CERTPATHLEN value