When creating a sub-CA, we should determine the pathLen constraint of the entire certification chain and error if the sub-CA would be invalid due to violation.
This ticket is to track Dogtag ticket https://fedorahosted.org/pki/ticket/1383 and ensure that we handle this failure mode appropriately on the IPA side.
Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.
Metadata Update from @ftweedal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Closing WONTFIX. The main work is on PKI side. If we ever get around to implementing it at all, the changes on IPA side should be minimal if any.
Workaround: don't do that :)
Metadata Update from @ftweedal: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.