On Fri, 2016-06-03 at 14:30 +0200, Tomas Mraz wrote: > > Sorry, I didn't realize that my question was worded ambiguously. > > > > Let me rephrase it: Is it possible to express that only the Red > > Hat > > internal CA may issue certificates under *.corp.redhat.com, and no > > other > > CAs may issue certificates for this subtree? > Not in the terms of stapled extensions - as the extensions would have > to be stapled onto some concrete certificates. You would have to > basically create stapled extensions for every CA in your trusted list > except for the Red Hat internal CA. And if any additional CA is added > to the trusted list, it would have to get this stapled extension too. Well you could do that by stapling every other certificate than Red Hat's with corp.redhat.com being on the excluded subtrees. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/security@xxxxxxxxxxxxxxxxxxxxxxx
