First Last Prev Next    This bug is not in your last search results.
Bug 49755 - Add nameConstraints and CRLDistribution points
Add nameConstraints and CRLDistribution points
Status: NEW
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-28 15:03 CEST by Nico Gulden
Modified: 2019-09-12 08:58 CEST (History)
0 users

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019031421001312
Bug group (optional): External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Gulden univentionstaff 2019-06-28 15:03:38 CEST 
User feedback. User needs nameConstraints and CRLDistribution points with UCS Root CA.

--- make-certificates.sh.backup 2019-03-14 16:24:40.448253015 +0100
+++ make-certificates.sh 2019-03-14 16:28:53.281701333 +0100
@@ -49,6 +49,11 @@
: "${DEFAULT_BITS:=2048}"
export DEFAULT_MD DEFAULT_BITS DEFAULT_CRL_DAYS

+CRL_DISTRIBUTION_POINTS="$(/usr/sbin/univention-config-registry get ssl/crl/distribution_points)"
+if [ -z "$CRL_DISTRIBUTION_POINTS" ]; then
+ CRL_DISTRIBUTION_POINTS="URI:http://ssl.interne.domain/ucsCA.crl"
+fi
+
if test -e "$SSLBASE/password"; then
  PASSWD="$(cat "$SSLBASE/password")"
else
@@ -182,7 +187,7 @@
[ req_attributes ]

challengePassword  = A challenge password
-unstructuredName = Univention GmbH
+unstructuredName = Discovergy GmbH

[ ${CA}_ext ]

@@ -194,6 +199,15 @@
# issuerAltName           = issuer:copy
# nsCertType              = sslCA, emailCA, objCA
# nsComment               = signed by Univention Corporate Server Root CA
+nameConstraints         = @name_constraints
+crlDistributionPoints   = @crl_info
+
+[crl_info]
+URI.0                   = $CRL_DISTRIBUTION_POINTS
+
+[name_constraints]
+permitted;DNS.0=<interne.domain>
+permitted;DNS.1=<externe.domain>

&#91; v3_req &#93;
Comment 1 Philipp Hahn univentionstaff 2019-09-12 08:58:45 CEST 
CRL-DP is Bug #34285
First Last Prev Next    This bug is not in your last search results.