You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I created this config for maximum security when creating CAs [Certificate Authorities], ICAs [Intermediate Certificate Authorities], and Certificates.
Information and applicable commands can be found beginning at Line 430
By default, the CA profile does not have a pathleen set, allowing it to sign an infinite number of CAs and ICAs; however, the ICA profile has a pathleen of 0, preventing it from signing any CA or ICA.
CA & ICA keyUsageshould not be altered, as the values set are the only values a CA or ICA should have.
CAs & ICAs should always have a hash equal to, or larger than, the hash of the certificates they sign.
CA & ICA keys should not have less than 4096bit encryption and should be encrypted with a password
Encryption password should be complex, contain at least 20 characters, and have a minimum of two lowercase letters, two uppercase letters, two numbers, & two symbols.
When not in use, certificate keys, especially CA & ICA keys, should reside within an encrypted container, secured by at least a 4096bit PGP signing cert (see GnuPG) that is also secured by the same password complexity as above
All VPN/Web Servers & client V3 profiles should always have at least the following keyUsage & extendedKeyUsage flags
Server
keyUsage:
digitalSignature
keyEncipherment
keyAgreement
extendedKeyUsage
serverAuth
Client
keyUsage:
digitalSignature
keyEncipherment
extendedKeyUsage
clientAuth
nscertype flags should not be utilized within certs or VPN configs as they're obsolete & were never officially recognized OIDs for anything other than the NetScape browser
Client Config:remote-cert-eku "TLS Web Server Authentication" should be utilized in lieu of remote-cert-tls