cfssl: policy violation error when creating intermediate CA with profile intermediate

From #652, when issuing the cli command:

cfssl sign -ca ca.pem -ca-key ca-key.pem -profile intermediate -config config.json intermediate.csr | cfssljson -bare intermediate

Still results in the same error “local signer policy disallows issuing CA certificate”

intermediate config json

{
    "signing": {
        "default": {
            "expiry": 43800h"
        },
        "profiles": {
            "intermediate": {
                    "usages": [
                        "signing",
                        "key encipherment",
                        "cert sign",
                        "crl sign"
                    ],
                    "expiry": "43800h",
                    "ca_constraint": {
                    "is_ca": true,
                    "max_path_len": 0,
                    "max_path_len_zero": true
                }
                }
        }
    }
}

About this issue

  • Original URL
  • State: open
  • Created 8 years ago
  • Comments: 18 (4 by maintainers)

Most upvoted comments

Was fighting same issue from cfssl 1.2 installed from homebrew.

macos High Siera 10.13.2
cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.9.2

Wasn’t able to create intermediate with “cfssl sign … intermediate.csr” - output was cert with CA:FALSE.

Issue was fixed with go get -u ... manual install.

Now I have functional intermediate CA, with pathlen=0

+1
den-is on Dec 31, 2017

Looks like the last two commenters are on to something - I’m seeing a very similar issue: cfssl from Homebrew creates a broken (non-CA) cert when asked to produce an intermediate, same version installed with “go get” works fine.

The specific problem appears to happen when producing the CSR for the intermediate. This part:

        Requested Extensions:
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:1

is missing from the CSR file when using cfssl from Homebrew. “cfssl sign” then produces a cert with CA:FALSE.

+1
maikzumstrull on Mar 21, 2017

Possibly related.

If you download the prebuilt binary from pkg.cfssl.org for OSX, and you create an intermediate where you’re granting it permission to function as a CA, it correctly creates an intermediate with that privilege. However, if you download the same version for Linux and mint an intermediate certificate using the same configuration, it does not have the ability to function as a CA.

Both are the same version, but the Linux one is built with Go 1.6, while the OSX one is built with Go 1.7, so to test if that’s somehow responsible, I built the Linux version with Go 1.7 and it correctly created an intermediate with the CA capability.

I use the following configuration:

{
    "signing": {
        "default": {
            "expiry": "2160h"
        },
        "profiles": {
            "peer": {
                "expiry": "720h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth",
                    "server auth"
                ]
            },
            "client": {
              "expiry": "720h",
              "usages": [
                "signing",
                "key encipherment",
                "client auth"
              ]
            },
            "intermediate": {
              "expiry": "720h",
              "usages": [
                "cert sign",
                "crl sign"
              ],
              "ca_constraint": {"is_ca": true}
            }

        }
    }
}

I’ve been inspecting them with: openssl x509 -in intermediate-ca/intermediate-ca.pem -noout -text and looking for the section

            X509v3 Basic Constraints: critical
                CA:TRUE

Assuming this can be replicated, I wonder if this warrants an issue to be opened recommending cfssl being built with Go 1.7, and also built the pre-built binary with 1.7 for Linux.

+1
jacobcase on Jan 11, 2017
Read more comments on GitHub
← boringtun: Slow work during testing on VM
Cloudflare-WordPress: APO cache is not cleared properly. →