Restricting a Certification Authority to Signing Certain Domains
Can I restrict a Certification Authority to signing certain domains only?
Is it possible to create a CA certificate (even unsigned), which is only allowed to sign certificates for specific limited domain(s), so that it can’t be misused for other domains?
No.
(I assume you are talking about certificates for SSL servers.)
Technically no. What would be closest to that would be the Name Constraints
extension (see section 4.2.1.10 of RFC 5280) (OID 2.5.29.30), which theoretically allows for restricting a complete PKI subtree to an explicit set of domains (and subdomains thereof). The extension supports both whitelist and blacklist semantics (in your case, you would like a whitelist). In practice, however, this fails for two reasons:
-
The
Name Constraints
extension is mostly unsupported by existing implementations of SSL. They are likely to ignore the extension. -
When a SSL client connects to a server, it looks for the server name in the server certificate, as specified in RFC 2818, section 3.1. It will look for names of type
dNSName
in aSubject Alt Name
extension, and these names are covered (theoretically) by theName Constraints
. However, if the server certificate lacks aSubject Alt Name
extension, clients will fall back on the Common Name (in thesubjectDN
). The Common Name is not in scope of theName Constraints
. This means that a certificate could evade the name constraints by omitting theSubject Alt Name
extension and putting an arbitrary server name in its Common Name.
(This is the whole story of X.509: lots of hooks and provisions for many useful features, which don’t work because of lack of support from implementation and lack of coordination between specification bodies.)