2

I'm trying to implement an internal CA. For this to work other people in the organization need to install the CA on their computers. In case the key is leaked, the atacker won't compromise only the internal domains but will be able to generate certificates for any imaginable domains like gmail.com or github.com and the people in organization would trust them.

I want to ask if there's a way to create the CA and declare the domains it's allowed to generate certificates for? eg. the CA is trusted to sign certificates only for *.acme.internal.

Calin Don
  • 121
  • 2
  • 5
    Possible duplicate of [Can I restrict a Certification Authority to signing certain domains only?](https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only). Also of interest: [Can a CN-only certificate bypass a name constraint if the CA goes rogue?](https://security.stackexchange.com/questions/116957/can-a-cn-only-certificate-bypass-a-name-constraint-if-the-ca-goes-rogue). – Steffen Ullrich Apr 16 '17 at 19:32
  • Yep, it's a duplicate . Thanks for pointing me in the right direction. – Calin Don Apr 16 '17 at 19:39

0 Answers0