Stephen Lewis <step...@commsguy.eu> writes: [...]
> - It it possible to specify a dirName nameConstraint that allows CN to > contain *.mydomain.com where * is anything but not allow CN = anything > that does not end in .mydomain.com ? I don't think that's possible (independent of what's expressible in openssl.cnf). See the description in RFC 5280, <http://tools.ietf.org/html/rfc5280#page-42>. The intent seems clearly subtree-based, not any more general pattern-matching, so CN=*.mydomain.com and similar hacks don't seem cleanly controllable by this. I'd guess the best thing to do would be to somehow require the use of the proper subjectAltName form---I don't know of a generally accepted way to do that. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org