cfssl

cfssl copied to clipboard

I can't seem to find anywhere an example of setting X509 name constraints on a CA cert. Is it possible to do this?

It's definitely possible to do this, but I'm pretty sure not directly through cfssl, since the Go x509 APIs do not support NameConstraints AFAICT. You would need to re-sign the CA certificate using OpenSSL.

You should also be aware that browsers differ on whether they honor NameConstraints in a trust anchor. I believe most of them only honor NameConstraints in an intermediate. So, to generate your own trust chain that is truly name constrained, you would need to generate a self-signed root, sign a name constrained intermediate, then delete the root key, import the self-signed root into the relevant trust stores, and do all your signing with the intermediate. Disadvantage: all relying parties have to simply trust that you really did delete the private key corresponding to the unconstrained root.

As per this test, most clients actually do honour it in trust root (except, apparently, many on MacOS).

Also even if it only works on intermediates, that is an important use-case too (e.g. project- or department-specific intermediates restricted to appropriate subdomain).

Support for name constraints was added to the x509 package https://golang.org/pkg/crypto/x509/#Certificate.PermittedDNSDomains

Is there any news on if and how to use name constraints with cfssl?

+1 Wanting to move away from using the openssl CLI to manage my pki and this is the only real roadblock I've ran into.

@reg0bs There's a PR by @rpoisel #1247 which seems complete albeit old. Maybe @nickysemenza could have a look?

I am researching tools for generating internal CA for my homelab and was quite surprised CFSSL does not support the Name Constraints yet. Are there any plans for this feature?