Ica constrained

From UVOO Tech Wiki
Jump to navigation Jump to search

To create an Intermediate Certificate Authority (ICA) that can only issue certificates for subdomains of a specific domain (like *.example.com), you must use the Name Constraints extension in the ICA's certificate. This restriction is applied when the Root CA signs the ICA's Certificate Signing Request (CSR). Here are the steps and the required configuration file section. 1. Create the Configuration File (ica.cnf) You need a custom configuration file to define the ICA extensions. Create a file named ica.cnf (or add this section to your main openssl.cnf) and include the Name Constraints extension. The critical line is nameConstraints=critical,permitted;DNS:.example.com. [ v3_intermediate_ca ]

Standard CA constraints

basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Name Constraints to restrict domains

Permitted: only allow DNS names that are subdomains of .example.com

This includes test1.example.com, test2.example.com, etc.

Note: It does not include example.com itself unless you add another line:

permitted;DNS:example.com

nameConstraints = critical, permitted;DNS:.example.com

Explanation of the Name Constraint: 

* critical: This flag ensures that any client (browser, application) that doesn't understand the Name Constraints extension will reject the certificate, thus enforcing the security boundary.
* permitted;DNS:.example.com: This is the whitelist. The dot (.) prefix makes the constraint match the entire zone. Any name that can be constructed by adding one or more labels to the left of .example.com (e.g., test.example.com, a.b.example.com) is permitted.

2. Create the Intermediate CA Key and CSR First, generate the private key and the Certificate Signing Request (CSR) for your ICA.

1. Create the ICA Private Key

openssl genrsa -aes256 -out intermediate.key.pem 4096

2. Create the ICA CSR

Replace the DN fields (C, O, CN, etc.) with your specific values

openssl req -new -sha256 \ 

   -key intermediate.key.pem \
   -out intermediate.csr.pem \
   -subj "/C=US/ST=CA/L=MyCity/O=Example Corp/OU=IT/CN=Example.com Constrained Intermediate CA"
  1. Sign the Intermediate CA with the Root CA Finally, use your Root CA key and certificate to sign the ICA's CSR, making sure to apply the extensions defined in your custom configuration file.

Sign the CSR using the Root CA and the custom configuration

openssl x509 -req -sha256 \ 

   -in intermediate.csr.pem \
   -CA root.crt.pem \
   -CAkey root.key.pem \
   -set_serial 0x100 \
   -days 3650 \
   -extfile ica.cnf \
   -extensions v3_intermediate_ca \
   -out intermediate.crt.pem

The resulting file, intermediate.crt.pem, is your domain-constrained ICA certificate. Any end-entity certificate signed by this ICA will be valid only if its domain name is under *.example.com. 4. Verify the Name Constraint You can verify the created certificate to ensure the constraint was applied correctly: openssl x509 -text -noout -in intermediate.crt.pem | grep -A2 "Name Constraints"

Expected Output: 

           X509v3 Name Constraints: critical
               Permitted: 
                 DNS:.example.com
Retrieved from "https://tech.uvoo.io/index.php?title=Ica_constrained&oldid=5637"