Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to I find the right certification path and which specific certificates I need? #388

Open
idmken opened this issue Jan 28, 2022 · 7 comments
Assignees

Comments

@idmken
Copy link
Contributor

idmken commented Jan 28, 2022

Description of Issue:

A user needs to build a certificate bundle for trust store management. How do they identify what paths they need?

There are multiple pages in FPKI guide that show a separate process to figure out a path, but nothing on how to build a bundle.

  1. PIV CAs and Agencies - This page shows which agencies use which issuer and specifically which issuer certificate. Someone would need to manually connect the issuer's name back to either FCPCA G2 or a certificate under FCPCAG2.
  2. FPKI Graph - This page shows a generic path using the subject name. A user could take the issuer subject name and find a complete path. The graph doesn't share the specific certificate they need, just a generic path.
  3. FCPCA G2 - This page shows which specific certificates are issued under the Federal Common Policy.

Once they know what certificates they need, they need to figure out how to make a bundle. This is only for PIV. With agencies issuing PIV-I, there is no guidance on how to identify or build a path for PIV-I.

One practical example is if an agency is presented as a PIV or PIV-I their existing configuration builds a path. How can an agency verify that path is correct?

Suggestions

Create a new page on how to identify a path and then build a bundle for both PIV or PIV-I

@idmken
Copy link
Contributor Author

idmken commented Jan 28, 2022

Additionally, someone can verify if a certificate meets a profile by using the CPCT.

@maxwellfunk
Copy link
Contributor

the actual CA certs can be found in the crawler cert bundle of all certs that validate to common from the following file:
https://github.com/GSA/ficam-playbooks/blob/federalist-pages/_fpki/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b

@claytonjbarnette claytonjbarnette transferred this issue from GSA/ficam-playbooks Jul 24, 2023
@id2win
Copy link
Contributor

id2win commented Aug 22, 2023

@rsherwood-gsa is this related to the graph you maintain?

@rsherwood-gsa
Copy link
Contributor

It was opened over a year and half ago, so I'm not sure if it's related to what we've done. This is a more generic question from Ken about constructing a set of certificates for use in a relying party environment. The desired outcome of this appears to be a playbook.

@idmken
Copy link
Contributor Author

idmken commented Mar 6, 2024

We get a lot of questions of "what is the latest CA for this PIV" or "I want to trust all certs from x vendor". I share the two or three pages I mentioned and it seems like we can make this more efficient somehow.

@rsherwood-gsa
Copy link
Contributor

Let's list out some use cases. Let me know if I'm on the right track:

  1. I am a human administrator who has a certificate (either mine or someone else's) and I want a tool that lets me independently generate the latest valid path so I can see whether it's valid, or whether my existing tool is building the correct path. This will generally be a set of one-off requests.
  2. I need to trust a subset of issued certificates and I need to be able to get a certificate bundle that will allow my software to trust only the CAs that issue the certificates I want to trust. This may be something I want to do regularly, when a new system is set up or when one of the certs in my old path expires.

Any other use cases?

@maxwellfunk
Copy link
Contributor

I dont know if we can get down to the independent trust path level, but the planned installroot coordination with DoD would at least give us the ability to provide for several categories of trust and the ability to export those bundles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants