Overview#NameConstraints is a Certificate Extension defined in RFC 5280 is used in Root Certificates and specifies the constraints that apply on Subject Certificate Distinguished Names and Subject Alternative Names of subsequent certificates in the Certificate Chain.
These NameConstraints can be applied in the form of permitted or excluded names. If a NameConstraints is mentioned in the permitted names list, then the subsequent certificates must comply with this constraint. If the constraint is mentioned in the excluded names list, then satisfying the NameConstraints results in failure of path validation.
The following constraints can majorly be applied:
- Distinguished Names - specifies a constraint on the subject DN of the subsequent end entity certificate and is also in the permitted names list. There are no restrictions applied on the excluded names list.
- Email address
- IP Address