The X.509-certificate-name-constraints extension can be used in a sub-CA certificate for specifying a name space within which all subject names in EE certificates must be located.
In a Windows domain this feature can be used for restricting the pattern of UPN subject alternative names that are allowed in certificates issued by PrivX CA. The target hosts validate the EE certificates and if the UPN does not fit into the name constraints the certificate validation fails.
The following steps are required to use X.509 certificate name constraints with the PrivX CA:
- Generate a certificate-signing request (CSR) for the PrivX CA private key.
- Attach name constraints to the CSR.
- Create a sub-CA certificate by signing the CSR with your windows CA.
- Import the signed sub CA certificate back to PrivX.
Follow the instructions in PrivX CA as Sub CA in CA Hierarchy to generate a certificate signing request for the CA key.
On the windows CA server:
- Create a policy.inf document similar to the following template:
[Version] Signature= "$Windows NT$" [RequestAttributes] CertificateTemplate = SubCA [NameConstraintsExtension] Include = NameConstraintsPermitted Exclude = NameConstraintsExcluded Critical = True [NameConstraintsPermitted] UPN = @example.com NoDefault = TRUE [NameConstraintsExcluded] UPN = [email protected]
The example template specifies a name constraint that allows UPN subject alternative names that have a domain part
@example.com, and explicitly disallows
[email protected]. The
NoDefault = TRUE is required for compatibility reasons with PrivX.
- Attach the name constraints to the CSR by executing the following command:
$ certreq -policy privx-im-ca.req policy.inf privx-im-ca-constraints.req
The CSR in
privx-im-ca-constraints.req includes the name constraints.
Sign the CSR with the windows CA to create the PrivX sub CA certificate.
Follow the instructions in PrivX CA as Sub CA in CA Hierarchy to import the signed sub-CA certificate to PrivX.
Updated 4 months ago