I'm exploring methods to control which Subject Alternative Names (SANs) can be included in certificate requests. One approach I'm considering is implementing Name Constraints within the Certificate Authority (CA) to limit the SANs. Before I go ahead, I would like some insights on this:
- Is using Name Constraints the best option for enforcing SAN restrictions?
- Are there any potential drawbacks or limitations I should be aware of in a Public Key Infrastructure (PKI) setup?
- Are there other methods that might offer more safety or flexibility?
I appreciate any advice!
5 Answers
Using Name Constraints is a solid choice for controlling SANs, but be sure to thoroughly test the certificate issuance process first. I've seen instances where strict policies caused issues with older Windows systems. It's a good idea to have a fallback option ready just in case.
If you're using Active Directory Certificate Services, keep in mind that your certificate policy might not support some features you need, especially if you're planning on deploying certain connectors. It's worth investigating further.
Watch out for compatibility problems, particularly with older Apple devices. I've read that Name Constraints can sometimes create issues, so double-check compatibility before fully implementing.
You might want to check out the Tame My Certs policy module. It could provide a good alternative or additional features that may be useful for your setup.
I haven't done this in a large-scale deployment, but in my home lab, I set up Name Constraints and it's worked well for me. For example, I created a test domain that fails validation, which gives me confidence in the system's security. Just make sure to test it out beforehand!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures