Can someone please confirm (or better still tell me a why I can achieve the following if it is at all possible) my understanding/issue
I use a Microsoft CA (Domain Joined) from what I have read here and on other blogs posts I cannot use name contrains to restrict the issuance of certifcates when the domain name I want to restrict appears only in the Common Name (e.g. CN=) part of the overal subject name field.
for example
lets say I want to restrict the issuance of any certificate for MyDomain.com
if I have a certificate signing request which includes a Subject Name of
CN=www.MyDomain.com,OU=IT,O=MyOrg,L=Poole,S=Dorset,C=GB
Also there is no subject alternatives names in the certificate signing request at all.
although I have name contrains in my CA certificate under the DNS (exclusion) section e.g.
DNS = .MyDomain.com DNS = MyDomain.com
The CA will still issue a certificate.
If I then add something like www2.MyDomain.com to the SAN of the certificate signing request the CA rejects the request as expected
So from what I have seen and read, name contrains do not apply to the CN= (common name) element of the Subject Name?
As WEB Servers SSL/TLS will look at CN= for domain name match (if no SAN is present) to accept a certificate, looks like there is no solution to this, unless I am missing something?
I would be grateful for any input
thanks __AAnotherUser
