> I'm trying to create a sub-ca with name constraints for website > certificate generation with the effect that sub-ca can sign only certs > for *.mydomain.com, i.e. anything ending in .mydomain.com
> thanks > stephen You should be aware that, unfortunately, this is only possible in a controlled environment where you have control over every client. It is *not* possible on the general Internet. Sadly, there are live implementations in widespread deployment (in browsers) that either completely ignore or badly mishandle name constraints. Unfortunately, the correct approach (as in, the one that works on the Internet) is much more complex: 1) Issue the CA a constrained certificate but one whose use purpose does *not* include certifying web sites. 2) When the CA wants to issue a certificate, it issues a "defective certificate" that cannot be directly used to certify a web site. 3) The recipient of this certificate, or the CA, goes back to you to get a "real certificate" signed by a key for the sub-ca that is not disclosed to the sub-ca. The sub-ca has no control over this process. This way, *you* (the CA) are the only entity that has to enforce the name constraints. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
