Giter Club home page Giter Club logo

Comments (3)

jniebuhr avatar jniebuhr commented on August 17, 2024

I checked the docs and from my understanding we would probably need to use the BlankEndEntityCertificate_CSRPassthrough/V1 template to have those key usages be passed on from the CSR that cert-manager provides.
@paramsethi can you confirm this? And would we need some kind of default for people who don't specify any key usage?

from aws-privateca-issuer.

kit837 avatar kit837 commented on August 17, 2024

I believe cert-manager provides a default already. From cert-manager - Key Usages:

Unless any number of usages has been set, cert-manager will set the default requested usages of “digital signature”, “key encipherment”, and “server auth”

One other consideration about BlankEndEntityCertificate_CSRPassthrough/V1 is that it will not include the digital signature and key encipherment usages by default. These usages are important to some TLS implementations.

If a user specifies only KeyUsages: [ "server auth" ], they may be surprised if their certificate doesn't work as expected.

from aws-privateca-issuer.

paramsethi avatar paramsethi commented on August 17, 2024

If no templateArn is provided, the acm-pca/IssueCertificate uses default EndEntityCertificate template which includes both Server, and client auth as keyusage values.

If the KeyUsage in CSR is present, we can use BlankEndEntityCertificate_CSRPassthrough template.

However, If KeyUsage is not populated in the CSR, we should fall back to using the default EndEntityCertificate in order to issue a valid X509 certificate.

The other option is to use specific template, which are only used for Client Auth or Server Auth. ACM Private CA provides EndEntityClientAuthCertificate, and EndEntityServerAuthCertificate templates for this purpose, which adds the Client Auth and Server Auth values in ExtendedKeyUsage field and keep the KeyUsage values for digital signature and key encipherment.

from aws-privateca-issuer.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.