[openssl-users] x509_config nameConstraints
Ben Humpert
ben at an3k.de
Mon May 11 10:37:09 UTC 2015
Hi,
I read the OpenSSL Cookbook by Ivan Ristic and saw how he configured
nameConstraints so I adapted it for my setup.
First I tried the following but that doesn't work.
permitted;DNS.0=lan
permitted;DNS.1=local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
permitted;IP.2=192.168.0.0/255.255.0.0
excluded;IP.3=0.0.0.0/0.0.0.0
excluded;IP.4=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
Then I thought maybe reordering might help like
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
permitted;DNS.0=lan
permitted;DNS.1=local
permitted;IP.2=10.0.0.0/255.0.0.0
permitted;IP.3=172.16.0.0/255.240.0.0
permitted;IP.4=192.168.0.0/255.255.0.0
but that gives the same result except that the ordering is different.
So I guess as soon as one permitted entry is specified everything else
is automatically excluded (vice-versa for excluded / permitted). If
that's the case the following configuration should only allow
certificates for any domain name using the TLDs lan or local and for
any IP address of one of the three private networks but everything
else will draw the certificate invalid. Is that correct?
permitted;DNS.0=lan
permitted;DNS.1=local
permitted;IP.0=10.0.0.0/255.0.0.0
permitted;IP.1=172.16.0.0/255.240.0.0
permitted;IP.2=192.168.0.0/255.255.0.0
If my assumption is correct, why does the CA/Browser Forum’s Baseline
Requirements define this? Do I have to do so because there's a bug
(somewhere) that permits certificates for IP addresses just because
DNS is permitted? Would I also have to exlcude email, URI, RID,
dirName and / or othername too?
Thank you very much in advance!
Best regards,
Ben
More information about the openssl-users
mailing list