easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard
verified publisher icon OpenVPN

cross-signing

Open Yannik opened this issue 3 years ago • 3 comments

I would like to restrict a third party Root CA to signing specific names.

For this, I need to cross-sign this Root CA with my own CA while using extension nameConstraints (see https://serverfault.com/questions/670725/is-it-possible-to-restrict-the-use-of-a-root-certificate-to-a-domain).

Is there any functionality for cross-signing an existing cert in easyrsa?

Yannik avatar Jun 14 '22 20:06 Yannik

No.

You could possibly achieve this by editing the x509-types/ca file.

I think the Subject which you have chosen, "cross-signing", could do with expansion ...

TinCanTech avatar Jun 14 '22 21:06 TinCanTech

Hey @TinCanTech,

thanks for confirming this is not possible atm.

I'd like to suggest that such a feature would be a good addition to easyrsa.

If my initial explanation was too vague, let me try to be more clear: What I need is a command that functions like:

/usr/share/easy-rsa/easyrsa --pki-dir=/etc/pki/r1 --batch sign-crt restricted third-party-ca.crt

with x509-types/restricted containing:

nameConstraints=critical,permitted;DNS:.allowed-domain.com

This should result in third-party-ca.crt getting cross-signed by r1 ca key and containing the relevant extension.

Internally, easyrsa should do something like:

openssl x509 -in third-party-ca.crt -CA /etc/pki/r1/ca.crt -CAkey /etc/pki/r1/private/ca.key -out third-party-ca-cross-signed.crt

(plus the relevant ext, serial etc.)

Don't you think is is a valid usecase?

Cross-signing can also be used for transitioning to a new Root CA and similar things.

Yannik avatar Jun 14 '22 21:06 Yannik

When you figure that out, be sure to raise a PR, thanks.

TinCanTech avatar Jun 15 '22 12:06 TinCanTech