-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate Keymaster CA to be used as client only certificates #144
Comments
Do you mean keymaster's CA cert as dowloaded from https://keymaster.example.com/public/x509ca. I dont understand te question (why would clients want this cert anyway?). Or if its something else can you explain an provide steps for reproducing? |
@bjhaid Ping? |
This certs need to be trusted on the clients machine to prevent the continuous prompts to manually trust the certificate. To prevent the CA from being used to issue a server cert that can MITM the user's traffic, the CA needs to explicitly indicate it is only used for signing clients certs and nothing more. As it is today the CA can be used to sign both server and client certificates. |
@bjhaid what OS/browser combination are you seeing?
Can you detail here the behaviour you are seeing? and what are you expecting? |
the behavior I am seeing is:
When I had not trusted the server's CA I would get prompt number 2 every time I tried logging into keymaster/cloudgate. To prevent that from happening, rather than requiring every user to manually trust the cert we can instead distribute it to the users. |
This will allow distributing the CA certificate to machines for trust and not worry about the certificate trusting servers. The certificate should probably have only the
ExtKeyUsageClientAuth
bit setThe text was updated successfully, but these errors were encountered: