NameConstraints is a Certificate Extension defined in RFC 5280 is used in Root Certificates and specifies the constraints that apply on Subject Certificate Distinguished Names and Subject Alternative Names of subsequent certificates in the Certificate Chain.

These NameConstraints can be applied in the form of permitted or excluded names. If a NameConstraints is mentioned in the permitted names list, then the subsequent certificates must comply with this constraint. If the constraint is mentioned in the excluded names list, then satisfying the NameConstraints results in failure of path validation.

The following constraints can majorly be applied:

More Information#

There might be more information for this subject on one of the following: