Intermediate CA
Posted: Wed Nov 23, 2022 6:52 pm
I need to give managers time-limited access to add OpenVPN users.
I can have them submit CSRs to me for each user and I return a signed cert for that user. But if I (read: my server) is not available, then they're out of luck. I also have a distaste for such highly centralized solutions.
I would like to give my managers a short-duration Intermediate CA certificate, for, say, 24 hours, that they can use to onboard their new users as needed. But for this to be possible, it seems like two things need to happen:
1. OpenVPN must not require Certificate Validity Nesting - i.e. a certificate expiring in one day can sign a certificate good for one year (see https://security.stackexchange.com/ques ... -509-chain)
2. There must be some timestamping to make sure that expired intermediaries don't sign after expiration by backdating the date of the signature. à la RFC 3161. And OpenVPN must verify timestamp on connection
So, is this a pipe dream or is there something here that could be made to work?
I can have them submit CSRs to me for each user and I return a signed cert for that user. But if I (read: my server) is not available, then they're out of luck. I also have a distaste for such highly centralized solutions.
I would like to give my managers a short-duration Intermediate CA certificate, for, say, 24 hours, that they can use to onboard their new users as needed. But for this to be possible, it seems like two things need to happen:
1. OpenVPN must not require Certificate Validity Nesting - i.e. a certificate expiring in one day can sign a certificate good for one year (see https://security.stackexchange.com/ques ... -509-chain)
2. There must be some timestamping to make sure that expired intermediaries don't sign after expiration by backdating the date of the signature. à la RFC 3161. And OpenVPN must verify timestamp on connection
So, is this a pipe dream or is there something here that could be made to work?