Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4516

Check name constraints from CA certificates when saving an end-entity profile


    • Type: Improvement
    • Status: Open
    • Priority: Cosmetic
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None


      It's currently possible to create a profile that can't ever satisfy the Name Constraints of one or more explicitly listed available CA. These types of errors can happen:

      1. Profile is missing a DN or SAN field that the Name Constraints require
      2. One of the allowed values of a non-modifiable field never satisfy the Name Constraints
      3. A validation regex forbids all values that the Name Constraint allows (probably extremely hard or even impossible to check).

      Number 1 should be the easiest to implement and is the most important one. Number 2 is less important. Number 3 might not even be possible to check, and I consider it out of scope for this issue.

      This can be implemented by checking against the CA certificates (which contain the NCs) of the available CAs. It should only be checked when the End-Entity profile lists one or more CAs explicitly (i.e. doesn't have the "All" option for the allowed CAs).




            • Assignee:
              samuel Samuel Lidén Borell
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: