From: Lloyd <ng2d68@proton.me>
Subject: ikectl(8) CERTPATHLEN value
To: "tech@openbsd.org" <tech@openbsd.org>
Date: Wed, 29 Jan 2025 20:32:29 +0000

The "ikectl ca" command is used to create a simple one-tier CA for
use with iked(8). However, the default config creates a root cert
with path length = 1, which allows the issuance of intermediate CA
certificates below this root. Since the intent of this simple CA is
to only issue end-entity certs by means of ikectl(8) commands, the
value of CERTPATHLEN should be set to 0 in the template.

Index: ikeca.cnf
===================================================================
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.cnf,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 ikeca.cnf
--- ikeca.cnf	17 Nov 2023 14:43:36 -0000	1.10
+++ ikeca.cnf	29 Jan 2025 20:17:41 -0000
@@ -9,7 +9,7 @@ CERT_CN			=
 CERT_EMAIL		= reyk@openbsd.org
 
 # default settings
-CERTPATHLEN		= 1
+CERTPATHLEN		= 0
 CERTUSAGE		= digitalSignature,keyCertSign,cRLSign
 EXTCERTUSAGE		= serverAuth,clientAuth
 CERTIP			= 0.0.0.0