Thanks for the feedback, to summarise:
What I want to achieve is a sub-ca that can sign certs for .mydomain.com
but not outside that domain - so for example it cannot sign for
www.mybank.com. I have a moderately controlled environment and can
specify things like minimum browser versions.
It's pos
bjectAlternativeName, for example
> CN=www.mybank.com passes validation, presumably because there is no
> constraint on the DN included.
Right.
> - Is it possible to specify multiple nameConstraints in the openssl.cnf
> so that both CN and subjectAlternativeName are constrained ?
&g
> I'm trying to create a sub-ca with name constraints for website
> certificate generation with the effect that sub-ca can sign only certs
> for *.mydomain.com, i.e. anything ending in .mydomain.com
> thanks
> stephen
You should be aware that, unfortunately, this is only possible in a
controlled
Stephen Lewis writes:
[...]
> - It it possible to specify a dirName nameConstraint that allows CN to
> contain *.mydomain.com where * is anything but not allow CN = anything
> that does not end in .mydomain.com ?
I don't think that's possible (independent of what's expressible in
openssl.cnf).
ossible to specify multiple nameConstraints in the openssl.cnf
so that both CN and subjectAlternativeName are constrained ?
- It it possible to specify a dirName nameConstraint that allows CN to
contain *.mydomain.com where * is anything but not allow CN = anything
that does not end in .mydomain.com
