Thanks for the feedback, to summarise:
What I want to achieve is a sub-ca that can sign certs for .mydomain.com
but not outside that domain - so for example it cannot sign for
www.mybank.com. I have a moderately controlled environment and can
specify things like minimum browser versions.
It's
there is no
constraint on the DN included.
Right.
- Is it possible to specify multiple nameConstraints in the openssl.cnf
so that both CN and subjectAlternativeName are constrained ?
- It it possible to specify a dirName nameConstraint that allows CN to
contain *.mydomain.com where
to specify multiple nameConstraints in the openssl.cnf
so that both CN and subjectAlternativeName are constrained ?
- It it possible to specify a dirName nameConstraint that allows CN to
contain *.mydomain.com where * is anything but not allow CN = anything
that does not end in .mydomain.com ?
thanks
Stephen Lewis step...@commsguy.eu writes:
[...]
- It it possible to specify a dirName nameConstraint that allows CN to
contain *.mydomain.com where * is anything but not allow CN = anything
that does not end in .mydomain.com ?
I don't think that's possible (independent of what's expressible
I'm trying to create a sub-ca with name constraints for website
certificate generation with the effect that sub-ca can sign only certs
for *.mydomain.com, i.e. anything ending in .mydomain.com
thanks
stephen
You should be aware that, unfortunately, this is only possible in a
controlled