From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: ikectl(8) CERTPATHLEN value
To: Lloyd <ng2d68@proton.me>
Cc: "tech@openbsd.org" <tech@openbsd.org>
Date: Wed, 29 Jan 2025 21:10:28 +0000

What's the benefit? I do see a downside to changing this.


On 2025/01/29 20:32, Lloyd wrote:
> The "ikectl ca" command is used to create a simple one-tier CA for
> use with iked(8). However, the default config creates a root cert
> with path length = 1, which allows the issuance of intermediate CA
> certificates below this root. Since the intent of this simple CA is
> to only issue end-entity certs by means of ikectl(8) commands, the
> value of CERTPATHLEN should be set to 0 in the template.
> 
> Index: ikeca.cnf
> ===================================================================
> RCS file: /cvs/src/usr.sbin/ikectl/ikeca.cnf,v
> retrieving revision 1.10
> diff -u -p -u -p -r1.10 ikeca.cnf
> --- ikeca.cnf	17 Nov 2023 14:43:36 -0000	1.10
> +++ ikeca.cnf	29 Jan 2025 20:17:41 -0000
> @@ -9,7 +9,7 @@ CERT_CN			=
>  CERT_EMAIL		= reyk@openbsd.org
>  
>  # default settings
> -CERTPATHLEN		= 1
> +CERTPATHLEN		= 0
>  CERTUSAGE		= digitalSignature,keyCertSign,cRLSign
>  EXTCERTUSAGE		= serverAuth,clientAuth
>  CERTIP			= 0.0.0.0
>