Hi
I'm trying to create a sub-ca with name constraints for website
certificate generation with the effect that sub-ca can sign only certs
for *.mydomain.com, i.e. anything ending in .mydomain.com
I'm trying to do this using the nameConstraints extension. I find that
if I specify a single
nameConstraints = permitted;DNS:*.mydomain.com
then the behaviour is as desired for certs that use the
subjectAlternativeName rather than DN, for example a signed cert with
subjectAlternativeName=DNS:myserver.mydomain.com
passes validation whereas one with
subjectAlternativeName=DNS:www.mybank.com
correctly fails validation.
However this is easily subverted by sub-ca issuing certs with the
website name in the CN and without a subjectAlternativeName, for example
CN=www.mybank.com passes validation, presumably because there is no
constraint on the DN included.
- Is it possible to specify multiple nameConstraints in the openssl.cnf
so that both CN and subjectAlternativeName are constrained ?
- It it possible to specify a dirName nameConstraint that allows CN to
contain *.mydomain.com where * is anything but not allow CN = anything
that does not end in .mydomain.com ?
thanks
stephen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
