I have an example, detailed below, that specifies permitted and excluded subtrees for a sub-CA. Later it uses the sub-CA cert to sign certificate requests adhering to and violating the name constraints both, even though the nameConstraints are marked as critical. Is this OpenSSL misbehaving or did I miss something when creating the sub-CA certificate or issuing the user certificate? thanks/jeff
"openssl.cnf" lines for Root CA when issued the sub-CA's certificate: ... nameConstraints = critical,@name_const_section [ name_const_section ] excluded;dirName=excluded_DN permitted;dirName=permitted_DN [ excluded_DN ] O=bad [ permitted_DN ] O=good Print out of the sub-CA's cert (trustedcacert.pem): Certificate Details: Serial Number: 22 (0x16) Validity Not Before: Jun 3 13:13:36 2010 GMT Not After : Jun 3 13:13:36 2011 GMT Subject: countryName = US stateOrProvinceName = NY organizationName = AcmeCorp commonName = AcmeCorp X509v3 extensions: ... X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Name Constraints: critical Permitted: DirName: O = good Excluded: DirName: O = bad Commands issued to create CSRs and sign them with the sub-CA's cert: # signing the good cert req openssl req -new -newkey rsa:2048 -nodes -keyout "goodkey.pem" \ -sha256 -subj "/O=good+CN=Good\/Instance" -multivalue-rdn \ > goodcsr.pem openssl x509 -CA trustedcacert.pem -CAkey trustedcakey.pem \ -days 365 -req -in goodcsr.pem -set_serial 2 -out goodcert.pem # signing the bad cert req openssl req -new -newkey rsa:2048 -nodes -keyout "badkey.pem" \ -sha256 -subj "/O=bad+CN=Bad\/Instance" -multivalue-rdn \ > badcsr.pem openssl x509 -CA trustedcacert.pem -CAkey trustedcakey.pem \ -days 365 -req -in badcsr.pem -set_serial 3 -out badcert.pem Print out of the created badcert.pem: Certificate: Data: Version: 1 (0x0) Serial Number: 3 (0x3) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=NY, O=AcmeCorp, CN=AcmeCorp Validity Not Before: Jun 3 13:13:38 2010 GMT Not After : Jun 3 13:13:38 2011 GMT Subject: O=bad, CN=Bad/Instance Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) This email contains Morega Systems Inc. Privileged and Confidential information. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org