Hi, Hodie XV Kal. Apr. MMIX, Stephen Lewis scripsit: > I'm trying to create a sub-ca with name constraints for website > certificate generation with the effect that sub-ca can sign only certs > for *.mydomain.com, i.e. anything ending in .mydomain.com > > I'm trying to do this using the nameConstraints extension. I find that > if I specify a single > nameConstraints = permitted;DNS:*.mydomain.com > > then the behaviour is as desired for certs that use the > subjectAlternativeName rather than DN, for example a signed cert with
Good, since the X.509 standard doesn't provide examples for pattern matching on dNSName, only for rfc822Name, and these are written as ".mydomain.com", not "*.mydomain.com". > However this is easily subverted by sub-ca issuing certs with the > website name in the CN and without a subjectAlternativeName, for example > CN=www.mybank.com passes validation, presumably because there is no > constraint on the DN included. Right. > - Is it possible to specify multiple nameConstraints in the openssl.cnf > so that both CN and subjectAlternativeName are constrained ? > > - It it possible to specify a dirName nameConstraint that allows CN to > contain *.mydomain.com where * is anything but not allow CN = anything > that does not end in .mydomain.com ? Edition 2005/08 of the X.509 has added a field in the nameConstraints extension, requiredNameForms; it allows you to explicitely require a dNSName, in order for the permittedSubTrees to do its job. Unfortunately, this field has been removed in the Corrigendum 1 published in 2007/01. Unfortunately also, it wasn't sufficient (the sub-CA could place a valid dNSName, and place a CN in the subject with another value). -- Erwann ABALEA <erwann.aba...@keynectis.com> ----- Mammifère : se dit d'un animal à squelette, poilu, qui donne du lait. Exemple : une noix de coco. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org