AnsweredAssumed Answered

Check name constraint on (intermediate) CA certificates?

Question asked by Johannes Totz on Jun 13, 2014
Latest reply on Jun 16, 2014 by Ivan Ristić

The SSL test currently does not check whether any name constraint extensions validate.

Would it be possible to enable this? Googling around, it seems that openssl doesn't implement checking for it. But Internet Explorer (on win8) and Firefox correctly issue an error or warning in case an intermediate CA signs a cert for a server that does not fall into the permitted namespace.

 

btw, thanks for the ssl test! it's very useful!

Outcomes