|
|
|
|
|
|
by ab
3993 days ago
|
|
|
Enforcement of nameConstraints is inconsistent at best. I experimented with name constraints a couple years ago for a private CA project, with the idea that I could restrict the private CA to issuing only names within a chosen subdomain. I remember being able to enforce nameConstraints on the subjectAltName, but I was never able to get it to enforce anything on the subject Common Name. In theory new certificates should always have a critical subjectAltName extension, but this makes it worthless in practice. It's also possible that my X.509 foo is not strong enough, or that I was testing with an older version of OpenSSL that doesn't implement it. http://blog.codekills.net/2012/04/08/adventures-in-x509-the-... |
|
|