[Help-gnutls] Re: How to restrict certification path length
simon at josefsson.org
Thu Jan 11 11:41:28 CET 2007
Sascha Ziemann <sascha.ziemann at secunet.com> writes:
> is it possible to specify the maximum certification path length in a
> configuration file for certtool? Internet explorer reports the path
> length of certificates made by certtool as unlimited.
> I have a Root CA, which signs an Issuer CA, and an Issuer CA , which
> signs client and server certificates. I would like to restrict the path
> length of the Root CA to two and the path length of the issuer CA to one
> in order to avoid any hacks made with the client or server certificates.
Hi! This is not possible today, but I implemented this in CVS.
Thanks for the suggestion! You can try CVS now, or tomorrow's daily
snapshot. Please let me know if/how it works. Here are the NEWS
** Certtool now print the value of the pathLenConstraints field for certs.
** Certtool now query for path length constraints when generating CA certs.
For batch uses, the certtool configuration name is "path_len".
Suggested by Sascha Ziemann <sascha.ziemann at secunet.com>.
** Add new API to get/set pathLenConstraint in the Basic Constraints.
The new functions gnutls_x509_crt_get_basic_constraints and
gnutls_x509_crt_set_basic_constraints provide a superset of the
functionality in the old gnutls_x509_crt_get_ca_status and
gnutls_x509_crt_set_ca_status (respectively), but the old functions
will continue to be supported.
** API and ABI modifications:
More information about the Gnutls-help