Skip to content
Apply a name constraint to an NSS certificate database for all CKBI (built-in) trust anchors, without those trust anchors' consent.
Go Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This tool applies a name constraint exclusion to an NSS sqlite database for all CKBI TLS trust anchors. The intended use case is to disallow public CA's from issuing certificates for TLD's with unique regulatory or policy requirements, such as:

  • The .bit TLD used by Namecoin.
  • A TLD controlled by your corporate intranet.


tlsrestrictnss requires Go 1.10.0 or higher; this requirement is inherited from the crosssignnameconstraint dependency.


  • This tool only applies name constraints to certificates from Mozilla's CKBI (built-in certificates) module. If you want to import a TLS trust anchor that's not part of CKBI, and you want a name constraint to be applied to it, you should use crosssignnameconstraint to modify that trust anchor before you import it to NSS.
  • This tool will probably prevent HPKP from working as intended, unless HPKP is applied to user-defined trust anchors. Firefox is capable of doing this (though it's not the default); Chromium is not AFAIK.


tlsrestrictnss is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

tlsrestrictnss is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with tlsrestrictnss. If not, see

You can’t perform that action at this time.