Thanks for the feedback, to summarise: What I want to achieve is a sub-ca that can sign certs for .mydomain.com but not outside that domain - so for example it cannot sign for www.mybank.com. I have a moderately controlled environment and can specify things like minimum browser versions.
It's possible to include a nameConstraint in the sub-ca cert on dnsName (subjectAltName) for .mydomain.com - this will match anything.mydomain.com but not www.mybank.com. This is the desired behaviour but it can be subverted by putting CN=www.mybank.com in the dirName and not using subjectAltName. >From the feedback received 1. It seems it's not possible to specify a wildcard in restrictions on CN 2. Many environments (browsers) do not check nameConstraints properly, if at all. Is there a way to force the absence of CN and use dnsName, for example is it possible to specify constraints on *both* dirName and subjectAltName (dnsName in this case) in the same sub-ca cert, for example dirName=/DC=com/DC=mydomain *and* dnsName=.mydomain.com ? If this is possible, will it prevent the use of CN in dirName ? in other words, something like this (allowing that my syntax is almost certainly broken ) [ subca_ext ] nameConstraints = permitted;DNS:.mydomain.com nameConstraints = permitted;dirName:mydirname [ mydirname ] DC=com 1.DC=mydomain as I have it, I can include either one but not both of the nameConstraints lines and get a cert with the specified constraint. any ideas or am I out of luck here ? thanks stephen ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
