Enforcing Name Constraints on a Private CA
Name constraints are defined in the internet public key infrastructure (PKI) standard
RFC 5280. These constraints provide a way for CA administrators to restrict subject
names in certificates. Administrators can control which names are allowed or prohibited
in certificates that are issued from their private CAs. For example, a private
domain
name such as "project1.corp" might be allowed. But another private domain name
such as
"project2.corp" might be reserved for a different internal project. Similarly,
public
DNS names such as "example.com" or "*.com" can be denied. For more information,
see the
Name
Constraints
ACM Private CA enforces name constraints that are included in CA certificates. However, CA certificates issued by ACM Private CA cannot include name constraints. To apply name constraints in your private CA hierarchy, sign your AWS managed CA certificate with an external CA that supports issuing CA certificates with name constraints. Then import that certificate into ACM Private CA. Name constraints will now be inherited by certificates that your private CA issues.
Procedures for creating or obtaining an external CA are outside the scope of this guide.
Name constraints define names that can be either permitted or excluded in downstream certificate subtrees. Applying name constraints prevents subordinate CA administrators from issuing certificates for domains or hosts outside of an authorized scope.
ACM Private CA supports name constraints for the following name forms:
-
IPAddress
-
DirectoryName
-
UniformResourceIdentifier
-
EmailAddress
-
DNSName
ACM Private CA will not import a certificate that is configured to enforce name constraints for one of the following unsupported name forms:
-
OtherName
-
X400Address
-
RegisteredID
-
EDIPartyName
Examples of Name Constraint Policies
Each of the following examples includes a stub certificate policy that defines a set of name constraints. The examples also include an explanation of the resulting restrictions on certificate issuance. The following general rules apply:
-
Name constraints are stated as permitted subtrees, excluded subtrees, or both.
-
Permitted and excluded subtrees contain matching patterns, which may be empty. If a
permitted
subtree is empty, then all names in that form are denied. Similarly, if anexcluded
subtree is empty, then all names in that form are allowed. -
If a name form is not listed, then all names in that form are allowed.
-
Placing a constraint on one name form has no effect on other name forms.
Permitted Subtrees Only
nameConstraints=critical,permitted; DNSName:.private DNSName:.local DNSName:.corp UniformResourceIdentifier:
Result: A DNS name is allowed only if it
matches ".private", ".local", or ".corp". Names in the
UniformResourceIdentifier
form are denied because there is no
matching pattern. All names in supported unlisted forms are allowed.
Excluded Subtrees Only
nameConstraints=critical,excluded; DNSName:.example.com DNSName:.local
Result: A DNS name is denied if it matches ".example.com" or ".local". All names in supported unlisted forms are allowed.
Permitted AND Excluded Subtrees
nameConstraints=critical,permitted; DNSName:.private DNSName:.local DNSName:.corp nameConstraints=critical,excluded; DNSName:.secret.corp DNSName:.example.com
Result: A DNS name matching ".private" or ".local" is allowed. A DNS name matching ".corp" is allowed unless it also matches ".secret.corp". A DNS name matching ".example.com" is denied. All names in supported unlisted forms are allowed.
Permitted Subtrees Only, Specified in Two CA Certificates in the Chain
Root CA: nameConstraints=critical,permitted; DNSName:.private DNSName:.local DNSName:.corp Subordinate CA: nameConstraints=critical,permitted; DNSName:sub.private DNSName:a.b.local
Result: A DNS name is allowed if it matches "sub.private" or "a.b.local". DNS names matching ".corp" are denied. All names in supported unlisted forms are allowed.
Excluded Subtrees Only, Specified in Two CA Certificates in the Chain
Root CA: nameConstraints=critical,excluded; DNSName:foo.private DNSName:foo.example Subordinate CA: nameConstraints=critical,excluded; DNSName:bar.private DNSName:.example IPAddress:0.0.0.0/0
Result: A DNS name is allowed unless it
matches "foo.private", "bar.private", or ".example". Names in the
IPAddress
form are denied because the matching pattern matches
all IP addresses. All names in supported unlisted forms are allowed.