Bug 1259449 - Include the CA certificate for *.access.redhat.com in ca-certificates
Include the CA certificate for *.access.redhat.com in ca-certificates
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ca-certificates (Show other bugs)
7.2
All All
high Severity high
: rc
: ---
Assigned To: Kai Engert (:kaie)
BaseOS QE Security Team
:
Depends On: 1259456
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-02 11:45 EDT by Keith Robertson
Modified: 2016-07-03 21:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-02 12:46:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
api.access.redhat.com cert (68.74 KB, text/html)
2015-09-02 11:46 EDT, Keith Robertson
no flags Details
cert-api.access.redhat.com cert (64.63 KB, text/html)
2015-09-02 11:46 EDT, Keith Robertson
no flags Details

  None (edit)
Description Keith Robertson 2015-09-02 11:45:46 EDT
The certificates attached to this BZ should be added to the ca-certificates RPM to facilitate communication back to the Red Hat Customer Portal.
Comment 1 Keith Robertson 2015-09-02 11:46:24 EDT
Created attachment 1069493 [details]
api.access.redhat.com cert
Comment 2 Keith Robertson 2015-09-02 11:46:59 EDT
Created attachment 1069494 [details]
cert-api.access.redhat.com cert
Comment 4 Keith Robertson 2015-09-02 12:09:13 EDT
This BZ should be implemented in conjunction with BZ1259456
Comment 5 Keith Robertson 2015-09-02 12:46:01 EDT
After talking to Kai, putting the *.redhat.com CAs in ca-certificates isn't a good idea as it is intended to be a global repository.  I'm going to close this BZ.  

===
Hi Keith,

I saw you have filed
https://bugzilla.redhat.com/show_bug.cgi?id=1259449

which requests to add our own CA to the systemwide list of trusted CA
certificates.

This is the first time I see such a request. I believe that in the past
certificfates from global CAs have been used for certificates for our corporate
websites. Can you please tell me, who has discussed and decided that this
strategy should be used?

In my opinion, we should avoid including a CA that could be used to issue
certificates for any website.

If you really need to include a CA, because you must issue your own certificates
to access corporate websites, you should be aware of the following: Only users
of our operating system will be able to connect to our site directly. Everyone
else will see security warnings in their browser, that our site isn't trusted.

If you are aware of that, and would like to use this approach (own CA) anyway,
then I would like to request that we add constrain that CA.

It is possible to add a domain name constraints extension to a root CA
certificate, which limits for which domains certificates can be issued.

Given the potential of abuse of a CA certificate, it would give our customers
the guarantee that we intend to use the CA we're adding only for our own sites,
not for anything else.

Please let me know what you think, I'm interested to hear about your
motiviations for that request, and if you're OK with the constraint that I'm
suggesting.

(On a side note, I couldn't download your attachments from the bug, it seems you
have attached HTML documents, not certificates?)

Thanks and Regards

Note You need to log in before you can comment on or make changes to this bug.