Affects Version/s: None
Fix Version/s: EJBCA 6.2.2
- A sub CA with "CN=Sub CA, O=PrimeKey,C=SE"
- Sub CA certificate issued from (external) Root CA, Sub CA certificate has name constraints "OU= Domain Validated"
The meaning of the name contraint is that end entity certificates from Sub CA must be "CN=foo,OU=Domain Validated".
Currently it is not possible to import the Sub CA certificatebecause when you do that the Sub CA tries to generate a XKMS and CMS certificate that violates name constraints.
The easy fix:
- Do not generate XKMS and CMS certificates/keystores when these services are not active.