Add name constraints to CA cert?

[fd0]

Hi,

thanks a lot for this handy tool! About the only thing I'm missing is adding name constraints to a CA when the certificate is created, so that the newly created CA is only valid for certain hierarchies. In openssl config syntax this would look as follows:

nameConstraints=critical,permitted;DNS:.example.com, permitted;DNS:.otherexample.com

A CA created with this constraint (which must be marked as critical) can only sign certificates below example.com or otherexample.com. This attribute can also contain IP addresses and many other features (you know, the whole x509 stuff), but being able to restrict a CA to some domains is the only thing I need.

Is there interest in adding a basic version of this feature? Like, not supporting the whole x509 madness, but being able to specify a list of domains and maybe IP ranges a new CA should be valid for?

If so, I'm willing to add the code (and tests) needed for this feature. Let me know what you think!

[mcpherrinm]

Name constraints seem like a pretty reasonable feature.
They can get pretty complicated; one goal of certstrap is to support a relatively narrow, commonly used subset of functionality in an easy to use fashion.

I think if we can get a fairly simple command line I'm definitely willing to merge.
DNS constraints are definitely good. I'm not sure how well supported IP constraints (or URIs, which are also supported by certstrap in CSRs) are in other software.

There's a related feature, path length constraints, that certstrap ought to handle too.

[fd0]

Ok, thanks for the feedback so far! I think I'll give it a try.