000021517 - RSA Keon Certificate Authority does not check the Basic Constraints when signing additional CAs

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021517
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server SP3
IssueRSA Keon Certificate Authority does not check the Basic Constraints when signing additional CAs
Set basicConstraints Limited to 0 for a subordinate CA (CA1) to Root. Still able to create sub-CA which is a subordinate to CA1
ResolutionRSA Keon Certificate Authority is set up to allow users to create additional sub-CAs even if they may not follow PKI rules (Basic Constraints). This allows KCA more flexibility for customers to experiment.

The applications that use the certificates are responsible to check and verify the Basic Constraints extension. Just like the application needs to check certificate validity, it must also check the Basic Constraints.

An RFE (tst00042070) has been submitted to create the capability to configure KCA to check Basic Constraints before signing additional sub-CAs.

Additional Information:

Basic Constraints

The basic constraints extension identifies whether the subject of the certificate is a CA and how deep a certification path may exist through that CA. The pathLenConstraint field is meaningful only if cA is set to TRUE. In this case, it gives the maximum number of CA certificates that may follow this certificate in a certification path. A value of zero indicates that only an end entity certificate can follow in the path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, there is no limit to the allowed length of the certification path.

This extension must appear as a critical extension in all CA certificates. This extension should not appear in end entity certificates.

id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
basicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL }
Legacy Article IDa23304