Thanks for the feedback, to summarise:
What I want to achieve is a sub-ca that can sign certs for .mydomain.com
but not outside that domain - so for example it cannot sign for
www.mybank.com. I have a moderately controlled environment and can
specify things like minimum browser versions.
It's pos
Hi
I'm trying to create a sub-ca with name constraints for website
certificate generation with the effect that sub-ca can sign only certs
for *.mydomain.com, i.e. anything ending in .mydomain.com
I'm trying to do this using the nameConstraints extension. I find that
if I specify a single
name
