How to enable Name Constraints extension to a CA certificate?
The Name Constraints extension is used in CA certificates and it specifies the constraints that apply on Subject DN and Subject Alternative Names of subsequent certificates in the certificate path. If a CA certificate contains this extension, all the subsequent certificates can have only the permitted names in Subject DN and Subject Alternative Names and certificates that don’t comply with name constraints set by CA would not be generated by ADSS Server. Follow these steps to add Name Constraints extension to CA certificates in ADSS Server:
1- Enable Name Constraints extension in Certificate Template
The Name Constraints extension can be added to CA certificates (not self-signed) only, so first step is to enable this extension in the relevant Certificate Template. Create a new certificate template with purpose Certificate/CRL Signing or update an existing one with the same purpose. Enable the Name Constraints extension in the template as shown in the image below:
The Name Constraints consist of two types of lists:
- Permitted Names
- Excluded Names
This list contains the names that will be permitted in subsequent certificates. The following name types can be added in the list:
- Directory Name
Only those name forms can be added to Name Constraints extension while generating a CA certificate that will be enabled in the template.
This list contains the names that CA wants to prohibit and cannot appear in subsequent certificates. The name forms selected in template for excluded names will be added to the Name Constraints extension while generating the CA certificate.
2- Create a CA certificate with a Name Constraints extension
Once the Name Constraints extension is enabled in the Certificate Template, the next step is to generate a CA certificate that will contain the Name Constraints extension. A subordinate CA certificate can be generated either via sending a request to ADSS Certification Service or on ADSS Console using Key Manager module. However, the option to add the Name Constraints extension to a CA certificate is only provided via Key Manager module on ADSS Console.
- Launch ADSS Server Console and navigate to Key Manager > Service Keys
- Select a key-pair with purpose Certificate/CRL Signing and view its certificates by clicking on Certificates button.
- On next screen, click on Create CSR/Certificate button to create the certificate. The following screen will be displayed:
In the image above, there is a highlighted section Name Constraints that contains fields and controls to add the Permitted and Excluded Names in the Name Constraints extension. Note that this section will be only visible if Name Constraints extension will be enabled in the selected Certificate Template. Only those name types can be added here that will be allowed in template e.g. if only dNSName is allowed in template for permitted and excluded names then fields related to dNSName will appear on the screen only. Also note that the Name Constraints section will not be visible while generating self-signed certificates as this extension is only added to the subordinate CAs. Different name forms can be provided here for permitted and excluded names. After providing the required names in the permitted or excluded lists, create the certificate and the Name Constraints extension will be added to certificate.
3- Issuing Certificates from a CA containing Name Constraints extension:
While issuing certificates (either via Certification Service or Console) from a CA that contains Name Constraints extension in its certificate, the ADSS will make sure the target certificate contains names in Subject DN or Subject Alternative Name according to the permitted and excluded names mentioned in the Name Constraints extension of the CA certificate.
For example, if Name Constraints extension contains a dNSName e.g. alpha.com in permitted list. The sub-sequent certificates can have only www.alpha.com as dNSName in the Subject Alternative Name extension. For subdomains, if .alpha.com is set in the permitted list, the sub-sequent certificates can contain www.sub.alpha.com or www.any.alpha.com.
For excluded names, if bravo.com is set in the Excluded Names list of CA certificate, the subsequent CAs cannot have this domain e.g. www.bravo.com in their Subject Alternative Name extension. Same rule applies to restrict sub-domain i.e. if .bravo.com is set in the Excluded Names list, sub-domains like www.sub.bravo.com or www.adv.bravo.com would not be allowed.
Note: Name Constraints rules only apply to a target certificate when the certificate contains a particular name type that is also mentioned in the Name Constraints extension e.g. if a dNSName is added to permitted or excluded names in CA certificate but target certificate does not contain any dNSName in its Subject Alternative Name extension, then the rules for dNSName would not be applied to target certificate and certificate will be issued without any issues.