Hi, I read the OpenSSL Cookbook by Ivan Ristic and saw how he configured nameConstraints so I adapted it for my setup. First I tried the following but that doesn't work. permitted;DNS.0=lan permitted;DNS.1=local permitted;IP.0=10.0.0.0/255.0.0.0 permitted;IP.1=172.16.0.0/255.240.0.0 permitted;IP.2=192.168.0.0/255.255.0.0 excluded;IP.3=0.0.0.0/0.0.0.0 excluded;IP.4=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 Then I thought maybe reordering might help like excluded;IP.0=0.0.0.0/0.0.0.0 excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 permitted;DNS.0=lan permitted;DNS.1=local permitted;IP.2=10.0.0.0/255.0.0.0 permitted;IP.3=172.16.0.0/255.240.0.0 permitted;IP.4=192.168.0.0/255.255.0.0 but that gives the same result except that the ordering is different. So I guess as soon as one permitted entry is specified everything else is automatically excluded (vice-versa for excluded / permitted). If that's the case the following configuration should only allow certificates for any domain name using the TLDs lan or local and for any IP address of one of the three private networks but everything else will draw the certificate invalid. Is that correct? permitted;DNS.0=lan permitted;DNS.1=local permitted;IP.0=10.0.0.0/255.0.0.0 permitted;IP.1=172.16.0.0/255.240.0.0 permitted;IP.2=192.168.0.0/255.255.0.0 If my assumption is correct, why does the CA/Browser Forum?s Baseline Requirements define this? Do I have to do so because there's a bug (somewhere) that permits certificates for IP addresses just because DNS is permitted? Would I also have to exlcude email, URI, RID, dirName and / or othername too? Thank you very much in advance! Best regards, Ben
