Hi, I think your missing on -.
command should be certutil -A -d . -n foo -i TooatCA.pem --extNC -t "C,C,C" Thanks On 04/04/2016 05:20 AM, Ángel González wrote:
Hello all I have an unrestricted CA I would like to trust for *some* domains. The NSS seems to support this. It should be possible to use certutil with the -extNC parameter (missing from [1], btw) to add the name constraint [2] to the legit subtree(s) So I tried with a command like: certutil -A -d . -n foo -i RootCA.pem -extNC as well as creating a new certificate certutil -S -d . -s "CN=Example_$RAND" -n my-ca-cert -x -t "C,C,C" -extNC and also did some guesses about the kind of parameter it might be take (eg. example.com, permittedSubtrees=.example.com), to no avail. In all cases it fails will certutil: unable to decode trust string: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. Looking at the code [3] I would expect it to show a wizard requesting the information (just like the other constraints, such as -2). I used certutil from nss 3.23 Has someone successfully used name constraints with nss? What parameters should I be using? [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools /certutil [2] http://tools.ietf.org/html/rfc5280#section-4.2.1.10 [3] https://hg.mozilla.org/projects/nss/file/dce6ee11ad9c/cmd/certutil/ certext.c#l953
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
