The Wayback Machine - https://web.archive.org/web/20201208021427/https://github.com/square/certstrap/issues/78
Skip to content

/ certstrap

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermediate with OpenSSL: verify error:num=25:path length constraint exceeded #78

Open
jbwdevries opened this issue Jun 11, 2019 · 2 comments · May be fixed by #112
Open

Intermediate with OpenSSL: verify error:num=25:path length constraint exceeded #78

jbwdevries opened this issue Jun 11, 2019 · 2 comments · May be fixed by #112

Comments

@jbwdevries
Copy link

@jbwdevries jbwdevries commented Jun 11, 2019

Could be a documentation issue - there is nothing in the README.md. I generated an Intermediate certificate using these steps:

./bin/certstrap-master-linux-amd64 init --common-name "Unit Test Server Root CA" --key-bits 1024 --expires "100 years"

./bin/certstrap-master-linux-amd64 request-cert --common-name "Unit Test Server Intermediate CA" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Root CA" --intermediate "Unit Test Server Intermediate CA"

./bin/certstrap-master-linux-amd64 request-cert --common-name "localhost" --ip "127.0.0.1" --domain "localhost" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Intermediate CA" "localhost"

I'm trying to debug it, but can't quite figure out what it this comment means:

// Not allow any non-self-issued intermediate CA, sets MaxPathLen=0

Should I generate my Intermediate CA differently?
@mcpherrinm
Copy link
Contributor

@mcpherrinm mcpherrinm commented Dec 13, 2019

The intermediate isn't actually the problem here, it's the root:

Certstrap generates roots with pathlen:0, which can't be used to sign intermediates. We don't put a pathlen on intermediates though....

That seems confusing and is definitely not documented anywhere. Path length really ought to be a flag.
agy added a commit to agy/certstrap that referenced this issue Aug 11, 2020
@agy
Add support for setting pathlen on CA certificates
4f86a9b 
By default when certstrap initializes a CA certificate it sets the
`pathlen` X509v3 basic constraint to zero (0). This is correct if the CA
will not be used in a certificate chain which includes intermediate
certificates.

Add a parameter to `certstrap init` to allow a user to override the
`pathlen` constraint if they know that their CA will be used with
intermediate certificates. By default the value is set to zero, leaving
the behaviour the same as before this change if the parameter isn't
overridden.

c.f. https://tools.ietf.org/html/rfc5280#section-4.2.1.9

Example usage:

```
$ certstrap init -cn foo.example.com
[...]
$ openssl x509 -noout -text -in out/foo.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
[...]
```

```
$ certstrap init -cn bar.example.com --path-length 1
[...]
$ openssl x509 -noout -text -in out/bar.example.com.crt
[...]
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
[...]
```

Fixes: square#78
@agy agy linked a pull request that will close this issue Aug 11, 2020
Open
@antong
Copy link

@antong antong commented Sep 28, 2020

I ran into this same thing, but I must be missing something. How has anybody ever made use of the --intermediate functionality if the maxpathlen of the root prevents it from working at all?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@mcpherrinm @antong @jbwdevries
You can’t perform that action at this time.