rcgen icon indicating copy to clipboard operation
rcgen copied to clipboard
verified publisher icon rustls

Basic Constraints certificate extension

Open SteelCrow opened this issue 4 years ago • 2 comments

For Basic Constraints certificate extension currently rcgen support two options:

pub enum IsCa {
    SelfSignedOnly,
    Ca(BasicConstraints)
}

And if we look into spec we will see exactly these two options:

id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }

   BasicConstraints ::= SEQUENCE {
        cA                      BOOLEAN DEFAULT FALSE,
        pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
and extension identifies two aspects:

Subject type: is the certificate a CA certificate or it is an end entity certificate;
[Optionally] How many CAs are allowed in the chain below current CA certificate. This setting has no meaning for end entity certificates.

And for sure Ca(x) case generate something like:

SubjectType=CA
Path length Constraint = x

But in case of SelfSignedOnly it didn't generate anything.

Empty

Despite spec said: "If Basic Constraints extension is not included in certificate, it is automatically treated as end entity certificate."

Is it possible to force writing this field?

SubjectType=End Entity
Path length Constraint = None

SteelCrow avatar Nov 29 '21 13:11 SteelCrow

Good point!

est31 avatar Nov 29 '21 14:11 est31

Right now the only way to implement it in the API is to do a custom extension and serialize it yourself, but we could have native support by e.g. having a EndEntity variant of the enum.

est31 avatar Nov 29 '21 14:11 est31