Apply a name constraint to an X.509 trust anchor via cross-signing, without that trust anchor's consent.
Switch branches/tags
Nothing to show
Clone or download
JeremyRand Merge #4: Suppress some gosec warnings
368434b Suppress gosec warning about unhandled error (JeremyRand)
749270b Suppress gosec warning about input CA path (JeremyRand)

Pull request description:

Tree-SHA512: 541af327d51087967eb4e5742986f1b3d062b51f68018c2322a2dfd6254e021115075b5e9f6b9308eafece84088499e4dd4ad8ad039efe0889eaaad74f3b1256
Latest commit 76052b0 Sep 19, 2018


This tool applies a name constraint exclusion to a DER-encoded TLS trust anchor via cross-signing. The intended use case is to disallow a CA from issuing certificates for a domain name that it has no legitimate business issuing certificates for. For example:

  • Disallowing a public CA from issuing certificates for the .bit TLD used by Namecoin.
  • Disallowing a public CA from issuing certificates for a TLD controlled by your corporate intranet.
  • Disallowing your corporate intranet's CA from issuing certificates for a TLD allocated by ICANN.

It currently only supports a single DNS domain name exclusion (because that's all that Namecoin needed). Pull requests that add additional flexibility for the name constraints (e.g. multiple exclusions, permitted DNS domain names, or non-DNS domain names) would be happily accepted and appreciated (even if it breaks API backward-compatibility).


crosssignnameconstraint requires Go 1.10.0 or higher. Please note that crosssignnameconstraint will build in Go 1.9.x, but will behave incorrectly (and we cannot guarantee that this incorrect behavior won't introduce security issues).

Projects who use crosssignnameconstraint

Send a pull request if you'd like to be included.


crosssignnameconstraint is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

crosssignnameconstraint is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with crosssignnameconstraint. If not, see