Skip to content

Specify Name Constraints in CA Certificate #3655

New issue
New issue
Closed
Closed
Specify Name Constraints in CA Certificate#3655
Labels
kind/featureCategorizes issue or PR as related to a new feature.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.priority/backlogHigher priority than priority/awaiting-more-evidence.
@t-cas

Description

@t-cas
t-cas
opened on Feb 11, 2021

Is your feature request related to a problem? Please describe.
When creating a Certificate CR using flag isCA: true, there is today no possibility to specify Name Constraints to apply restrictions on the CN and SAN for this Sub-CA.

Describe the solution you'd like
a new section spec.nameConstraints in Certificate CR for example:

spec:
  isCA: true
  nameConstraints:
  - type: permitted
    critical: true
    constraints:
      dns: [.private, .corp]
      ipAddress: [192.168.3.0/255.255.255.0]
  - type: excluded
    critical: true
    constraints:
      dns: [.secret.corp]

/kind feature

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.priority/backlogHigher priority than priority/awaiting-more-evidence.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions