X.509 Certificate Name Constraints

The X.509-certificate-name-constraints extension can be used in a sub-CA certificate for specifying a name space within which all subject names in EE certificates must be located.

In a Windows domain this feature can be used for restricting the pattern of UPN subject alternative names that are allowed in certificates issued by PrivX CA. The target hosts validate the EE certificates and if the UPN does not fit into the name constraints the certificate validation fails.

The following steps are required to use X.509 certificate name constraints with the PrivX CA:

  1. Generate a certificate-signing request (CSR) for the PrivX CA private key.
  2. Attach name constraints to the CSR.
  3. Create a sub-CA certificate by signing the CSR with your windows CA.
  4. Import the signed sub CA certificate back to PrivX.

Generating a Certificate-Signing Request for PrivX CA Key

Follow the instructions in PrivX CA as Sub CA in CA Hierarchy to generate a certificate signing request for the CA key.

Attaching Name Constraints to the CSR

On the windows CA server:

  1. Create a policy.inf document similar to the following template:
[Version]
Signature= "$Windows NT$"

[RequestAttributes]
CertificateTemplate = SubCA

[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True

[NameConstraintsPermitted]
UPN = @example.com
NoDefault = TRUE

[NameConstraintsExcluded]
UPN = Administrator@example.com

The example template specifies a name constraint that allows UPN subject alternative names that have a domain part @example.com, and explicitly disallows Administrator@example.com. The NoDefault = TRUE is required for compatibility reasons with PrivX.

See https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/constraints-what-they-are-and-how-they-amp-8217-re-used/ba-p/1129048 for more information.

  1. Attach the name constraints to the CSR by executing the following command:
$ certreq -policy privx-im-ca.req policy.inf privx-im-ca-constraints.req

The CSR in privx-im-ca-constraints.req includes the name constraints.

Signing the CSR

Sign the CSR with the windows CA to create the PrivX sub CA certificate.

Importing the Signed Sub CA certificate

Follow the instructions in PrivX CA as Sub CA in CA Hierarchy to import the signed sub-CA certificate to PrivX.

Was this page helpful?