[openssl-users] x509_config nameConstraints
ben at an3k.de
Mon May 11 10:37:09 UTC 2015
I read the OpenSSL Cookbook by Ivan Ristic and saw how he configured
nameConstraints so I adapted it for my setup.
First I tried the following but that doesn't work.
Then I thought maybe reordering might help like
but that gives the same result except that the ordering is different.
So I guess as soon as one permitted entry is specified everything else
is automatically excluded (vice-versa for excluded / permitted). If
that's the case the following configuration should only allow
certificates for any domain name using the TLDs lan or local and for
any IP address of one of the three private networks but everything
else will draw the certificate invalid. Is that correct?
If my assumption is correct, why does the CA/Browser Forum’s Baseline
Requirements define this? Do I have to do so because there's a bug
(somewhere) that permits certificates for IP addresses just because
DNS is permitted? Would I also have to exlcude email, URI, RID,
dirName and / or othername too?
Thank you very much in advance!
More information about the openssl-users