Wildcard certificate and DANE/TLSA records
zorion at autistici.org
Mon Dec 31 23:33:16 CET 2018
On 12/31/18 2:21 PM, Viktor Dukhovni wrote:
>> On Dec 31, 2018, at 2:01 PM, zorion <zorion at autistici.org> wrote:
>> Ok, I had a hard time finding out what exactly the *trust-anchor* was
>> supposed to be. I took a guess that it was the combined cert chain, but
>> obviously that is not it.
> A trust-anchor is any issuing CA you designate as trusted, and it does
> not have to be a root CA, it can also be any intermediate CA.
Thank you for the explanation!
>> What exactly is the trust-anchor? Is it the top level cert from the CA
>> in the chain (#4 in your danecheck below)?
> It is any of 2, 3 or 4. The important constraint with DANE-TA(2), as
> explained in https://tools.ietf.org/html/rfc7671#section-5.2.2, is
> that if you do choose a root CA as your trust-anchor, unlike the
> case in non-DANE PKIX protocols, it MUST be sent to the client along
> with the intermediate issuer certificates.
Would that be the smtp_tls_CAfile option in postfix? I've got an
intermediate bundle that I provide to that option in main.cf
> To compute the digest of a CA certificate, create a PEM file containing
> just that certificate. Or use my "chaingen" script (attached), which
> can process a complete chain of certificates, but DO NOT then publish
> all the TLSA records it outputs. Publish no more than one TLSA record
> per certificate in the chain, typically just the "3 1 1" for the EE
> cert, and "2 1 1" for the TA certs. And no need to match at every
> level. At most two trust anchors (typically just one) are enough.
Thanks! Is there a benefit for also publishing the "2 1 1" TA certs if
I'm already publishing the "3 1 1" EE cert?
ps. accidentally only sent this directly to Viktor, sending it to the list.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dane-users