How does AWS Private CA limit the certification path length?

0

We only need to manage 3-4 levels of CA using Private CA, but the total certificate path is somewhere around 7. Basically, only the top root and intermediate CAs will need to be managed by Private CA. There will be additional, unmanaged intermediate CAs running on private hardware that will do the actual leaf certificate issuing. The documentation says the maximum certification path length is 5, but I'm not sure how that exactly works in our use case since Private CA wouldn't be aware of the additional levels. How does AWS Private CA limit the certification path length? Does it make the pathLength field in the BasicConstraints extension mandatory? If not, would my use case be viable with Private CA?

Dani
asked 2 years ago488 views
2 Answers
3

Hi Dani,

I understand you would like to know more about the mechanics of path lengths within PCA. Here are some insights to your questions:

Could I have a CA hierarchy with length 10 as long as only 5 levels are managed within PCA? Response: The structure of a CA hierarchy is defined and enforced by the basics constraints extension that each certificate contains. The extension defines two constraints: (A) cA – Whether the certificate defines a CA. If this value is false (the default), then the certificate is an end-entity certificate. (B) pathLenConstraint – The maximum number of lower-level subordinate CAs that can exist in a valid chain of trust. The end-entity certificate is not counted because it is not a CA certificate. A root CA certificate needs maximum flexibility and does not include a path length constraint. This allows the root to define a certification path of any length.

However, With AWS Private CA, you can only create a hierarchy of certificate authorities with up to five levels. The root CA, at the top of a hierarchy tree, can have any number of branches. The root CA can have as many as four levels of subordinate CAs on each branch. You can also create multiple hierarchies, each with its own root.

Does PCA refuse to create X509 certificates with path length field values above 5? Note: PCA supports complex hierarchies with up to five levels. Each CA in the tree is backed by an X.509 v3 certificate with signing authority. This means that as CAs, they can sign other certificates subordinate to them. When a CA signs a lower-level CA's certificate, it confers limited, revocable authority on the signed certificate.

How does AWS Private CA limit the certification path length? Does it make the pathLength field in the BasicConstraints extension mandatory? Response: It uses what is called PathLenConstraint. Subordinate CAs have pathLenConstraint values equal to or greater than zero, depending on location in the hierarchy placement and desired features. For example, in a hierarchy with three CAs, no path constraint is specified for the root CA. The first subordinate CA has a path length of 1 and can therefore sign child CAs. Each of these child CAs must necessarily have a pathLenConstraint value of zero. This means that they can sign end-entity certificates but cannot issue additional CA certificates. Limiting the power to create new CAs is an important security control.

I hope this helps. Let me know if I answered your question or if you have any follow-up.

Kind regards, Ahmed

References:

[1] https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html

[2] https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html#length-constraints

[3] https://docs.aws.amazon.com/privateca/latest/userguide/PcaTerms.html#terms-pathlength

profile pictureAWS
EXPERT
answered 2 years ago
0
profile pictureAWS
EXPERT
answered 2 years ago
  • Hi! I understand what a path length constraint is. My question is more about the mechanics of path lengths within PCA. For example, could I have a CA hierarchy with length 10 as long as only 5 levels are managed within PCA? Does PCA refuse to create X509 certificates with path length field values above 5? The documentation is unclear to how this mechanism actually works. I suspect that it's a simple internal check that counts the number of CAs in the chain and refuses to create a sixth. This wouldn't prevent continuing the chain outside of PCA.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions