cert-manager
Add a verification the certificate is a CA certificate
Now user able to add non-CA certificate to bundle, and trust manager doesn't verify, that added cert isn't CA cert, and adds it to bundle. Please, include a verification to certs to be added.
@erikgb hello, can I work on this issue?
Please do, @arsenalzp! 💯 Are we heading for a controller flag/option, as we do for similar options already?
@erikgb hello, can I work on this issue?
Please do, @arsenalzp! 💯 Are we heading for a controller flag/option, as we do for similar options already?
Yes, sure. As always we can manage this behavior with controller option.
@erikgb @AlexanderKocheshkov how to recognize a CA certificate?
Can we use basicConstraints=CA:true?
We should also make room for an even stricter validation, where only root/self-signed CAs are allowed in bundles.
I am pretty sure @SgtCoDFish has something to add to this!
Might be useful to think about extensibility of the API that we create. Other options that we might want to add in the future:
- only allow root certificates
- only allow certificates that are not valid for longer than X years
- only allow certificates with a max max-pathlen
Can we use basicConstraints=CA:true?
This is the primary way to check, yeah. The best resource is https://cabforum.org/working-groups/server/baseline-requirements/requirements/ for certs in the public internet.
Specifically:
- This lists the extensions in the cert which are required for root certs
- This lists them for cross signed intermediates
- This lists for intermediate certs.
We shouldn't check for all of the required extensions - checking for basicConstraits CA=true will probably be the best starting point!
