Certificate Transparency for Self-Hosted Actors
375 views
Skip to first unread message
Francis Booth
Jul 26, 2024, 12:47:55 PM7/26/24
to certificate-transparency
Hello hello!
I'm here as I have recently become aware of a catch 22 issue with CT that I hope can be addressed here.
I'm here as I have recently become aware of a catch 22 issue with CT that I hope can be addressed here.
I have a Root CA that is constrained to my own domain and have issued certificates on it that pass all validation checks such as openssl verify ... and all that. The problem is even when I add this CA to local keystores it appears that there is still a hanging issue with certain vendors (Apple being one of them) where because my certificates do not have a CT signature shows that it is not standards compliant.
This means that no matter what I do, even when issuing valid certificates my CA is never trusted by the system.
Is there an accepted method for how organizations are expected to enroll in CT so that they can issue certificates here?
Do note, this is not an unconstrained root certificate authority so it's not like this CA can sign for domains other than it's own so I don't see what the issue is here.
Is there an accepted method for how organizations are expected to enroll in CT so that they can issue certificates here?
Do note, this is not an unconstrained root certificate authority so it's not like this CA can sign for domains other than it's own so I don't see what the issue is here.
Matthew McPherrin
Jul 26, 2024, 2:12:19 PM7/26/24
to certificate-...@googlegroups.com
CT isn't supposed to be required for "enterprise"/local certificate authorities you've enrolled in your own devices. I don't know that much about the client-side implementation of those things, so I'm not sure what exactly you're running into here.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/03ae035f-928c-4007-8fec-d218ac0ef54dn%40googlegroups.com.
cli...@apple.com
Jul 26, 2024, 2:29:47 PM7/26/24
to certificate-transparency
Hello,
CT shouldn't be enforced for non-System Roots, so there's likely something more fundamental causing the error(s) you're seeing. For Apple, would you be able to submit a report to https://feedbackassistant.apple.com/ so we can review?
Thank you!
-Clint
Francis Booth
Jul 28, 2024, 3:01:18 PM7/28/24
to certificate-transparency
After doing more digging I realized when I wrote the named constraints I had *.domain.tld and using a wildcard there is not compliant with the RFC so the message I was getting back from the keystore was correct. It just wasn't showing that on the Root or Intermediate certificates until I got down to the server certificates and then threw the error.
I recreated the CA with just the domain TLD (domain.tld) as the DNS constraint and now everything is working perfectly after loading the CA into the store.
I recreated the CA with just the domain TLD (domain.tld) as the DNS constraint and now everything is working perfectly after loading the CA into the store.
Reply all
Reply to author
Forward
0 new messages