Name Constraints #713
Comments
|
It's definitely possible to do this, but I'm pretty sure not directly through cfssl, since the Go x509 APIs do not support NameConstraints AFAICT. You would need to re-sign the CA certificate using OpenSSL. You should also be aware that browsers differ on whether they honor NameConstraints in a trust anchor. I believe most of them only honor NameConstraints in an intermediate. So, to generate your own trust chain that is truly name constrained, you would need to generate a self-signed root, sign a name constrained intermediate, then delete the root key, import the self-signed root into the relevant trust stores, and do all your signing with the intermediate. Disadvantage: all relying parties have to simply trust that you really did delete the private key corresponding to the unconstrained root. |
|
As per this test, most clients actually do honour it in trust root (except, apparently, many on MacOS). Also even if it only works on intermediates, that is an important use-case too (e.g. project- or department-specific intermediates restricted to appropriate subdomain). |
|
Support for name constraints was added to the x509 package https://golang.org/pkg/crypto/x509/#Certificate.PermittedDNSDomains |
|
Is there any news on if and how to use name constraints with cfssl? |
|
+1 Wanting to move away from using the openssl CLI to manage my pki and this is the only real roadblock I've ran into. @reg0bs There's a PR by @rpoisel #1247 which seems complete albeit old. Maybe @nickysemenza could have a look? |
|
I am researching tools for generating internal CA for my homelab and was quite surprised CFSSL does not support the Name Constraints yet. Are there any plans for this feature? |
I can't seem to find anywhere an example of setting X509 name constraints on a CA cert. Is it possible to do this?
The text was updated successfully, but these errors were encountered: