[PATCH v3 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed
Mimi Zohar
zohar at linux.ibm.com
Thu Dec 15 10:21:17 UTC 2022
Hi Eric,
On Tue, 2022-12-13 at 19:33 -0500, Eric Snowberg wrote:
> Currently X.509 intermediate certs with the CA flag set to false do not
> have the endorsed CA (KEY_FLAG_ECA) set. Allow these intermediate certs to
> be added. Requirements for an intermediate include: Usage extension
> defined as keyCertSign, Basic Constrains for CA is false, and the
> intermediate cert is signed by a current endorsed CA.
Intermediary keys should have the CA flag enabled as well. Why is
this needed? At least for the new Kconfig, please keep it simple as
to which certificates may be added to the machine keyring.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list