A possible path to reliable name constraints on internal TLS CAs

December 8, 2023

A while back I wrote an entry about TLS CA root certificate name constraints for internal Certificate Authorities. One of the traditional problems with your own TLS CA is that this CA can be used to sign any name, even names you don't want to sign. A name constraint would limit that, but traditionally these weren't widely supported, especially on TLS CA root certificates. Then I read Michal Jirků's Running one's own root Certificate Authority in 2023 and had a realization about a general way out so that everything would accept your TLS name constraints.

Some software will accept name constraints on root CA certificates, so you create your root certificate with them. Some software will only accept name constraints on intermediate CA certificates, so then you create an intermediate certificate with the same constraints as your root certificate; it should also have the same validity period as your root certificate (or as long a validity period as you expect to need your CA for). At this point, you throw away the CA root certificate's private key, so no one can make any more intermediate certificates. This insures an attacker can't create a new intermediate certificate without name constraints and then issue certificates from it that will be accepted by older Chrome versions and other things that ignore root CA name constraints.

(Modern Chrome versions support root CA name constraints, but I expect that older Chrome versions will linger on for quite some time in the form of old Android devices that aren't getting updates.)

I suspect that there are some uncertainties and potential problems with this approach. Most obviously, you're in trouble if TLS clients decide to start limiting the lifetime of intermediate CA certificates, since you can't make any more once you destroy the root CA key. As far as I can tell, the CA/Browser Forum Baseline Requirements don't currently limit intermediate certificate lifetimes, but this may change someday.

(One option would be to pre-mint a series of intermediates with relatively short (and overlapping) lifetimes as a precaution. But then you have to protect all of these intermediate certificates for possibly several decades.)

Since using intermediate CAs is what's done in public (web) TLS, probably pretty much everything supports it so maybe there aren't really any uncertainties beyond the long validity period of the intermediate certificate. I don't know how many levels of intermediates are commonly supported, so maybe there could be problems if you wanted two levels of intermediate (the one that's effective your 'root' CA and then a second, shorter term one below it that you used to directly issue TLS certificates).

Comments on this page:

By David Magda at 2023-12-09 08:43:09:

Then I read Michal Jirků's Running one's own root Certificate Authority in 2023[1] and had a realization about a general way out so that everything would accept your TLS name constraints.

Some interesting stuff in the Hacker News comments:

At this point, you throw away the CA root certificate's private key, so no one can make any more intermediate certificates.

Or perhaps get an hardware security module (or two) and store them in there:

If you end up losing the HSM(s), it'd be no worse than if you'd gotten rid of the private root key in the first place. The above model appears to have two-man / m-of-n rule support, and allow for (encrypted) backing up of units to each other.

The HN post also has various suggests on (open source) CA software so one doesn't have to roll (and maintain) one's own:

By chipb at 2023-12-10 11:34:28:

(One option would be to pre-mint a series of intermediates with relatively short (and overlapping) lifetimes as a precaution. But then you have to protect all of these intermediate certificates for possibly several decades.)

I usually try to avoid being a pedant, but I’m compelled to point out that the certificate isn’t the sensitive part to protect; all those pre-minted intermediate certs could share the same key. It may not be a great idea, but at least to me, it doesn’t seem worse in principle than using a single multi-decade intermediate.

By cks at 2023-12-10 23:23:23:

That's a great point, chipb. I usually think of separate TLS certificates (intermediates or otherwise) as having separate keys, but that's not absolutely required, and if you're already looking at using a ten or twenty year 'intermediate' (with obviously the same key for the duration), you can reuse the same key for multiple intermediate certificates. I'll have to remember this if it ever comes up for us.

Written on 08 December 2023.
« Mapping out my understanding of (web-based) single sign-on systems
I recently used Grafana Loki for fast, flexible log searching »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal.
Search:
Login: Password:
Last modified: Fri Dec 8 23:02:40 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.