ETOOBUSY 🚀 minimal blogging for the impatient
I discovered about Name Constraints.
It seems to be able to create a root certification authority that is constrained to only emit certificates for a restricted (although still possibly unbounded) set of things.
It comes with some caveats, the first and foremost being that it’s been a kind of an afterthought and clients might not have implemented that widely. At least according to some help posts from about ten years ago.
So I guess it’s fair to use it in a small and largely controlled environment where clients are updated and more than this they can be tested. Still, it makes me uneasy to install a root CA certificate.
It can be set via OpenSSL, like this in an extensions part:
[ req] x509_extensions = ca_extensions ... [ ca_extensions ] nameConstraints = permitted;DNS:*.example.com ...
It can be set in permit or in exclude mode. I like the first better because it works like an allow list, where everything is denied and only few selected things pass.
Stuff for studying!