square
Intermediate with OpenSSL: verify error:num=25:path length constraint exceeded
Could be a documentation issue - there is nothing in the README.md. I generated an Intermediate certificate using these steps:
./bin/certstrap-master-linux-amd64 init --common-name "Unit Test Server Root CA" --key-bits 1024 --expires "100 years"
./bin/certstrap-master-linux-amd64 request-cert --common-name "Unit Test Server Intermediate CA" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Root CA" --intermediate "Unit Test Server Intermediate CA"
./bin/certstrap-master-linux-amd64 request-cert --common-name "localhost" --ip "127.0.0.1" --domain "localhost" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Intermediate CA" "localhost"
I'm trying to debug it, but can't quite figure out what it this comment means:
// Not allow any non-self-issued intermediate CA, sets MaxPathLen=0
Should I generate my Intermediate CA differently?
The intermediate isn't actually the problem here, it's the root:
Certstrap generates roots with pathlen:0, which can't be used to sign intermediates. We don't put a pathlen on intermediates though....
That seems confusing and is definitely not documented anywhere. Path length really ought to be a flag.
I ran into this same thing, but I must be missing something. How has anybody ever made use of the --intermediate functionality if the maxpathlen of the root prevents it from working at all?
It would be really helpful, if the path length constraint is fixed. Otherwise intermediate CAs are not really working, because if the root CA is used to sign an intermediate CA. The certificates issued by the intermediate CA are invalid.
@jdtw, could you please look at PR #135.
Unfortunately PR #135 is still stalled with the remark "Code owner review required".
@isemaya-square, as far as I can see you have recently merged two PRs. Is there a chance that the PR is reviewed?