Using NameConstrains in a CA certificate
I am trying to do something similar to what has been pointed out in this nice answer by Jonathon Reinhart.
I have a CA certificate with Name Constrains (RFC):
Permitted
[1]Subtrees (0..0):
DNS Name=valid.com
Excluded=None
Actually, I would like to prevent the CA from signing any other cert that can do a serverAuth, so I used a white list (would it be possible to have a Excluded = * ? how?)
This CA cert is Trusted by the user's browser.
Now I create 2 certs, one with SAN: DNS Name=valid.com and the other with SAN: DNS Name=fake.com, both signed by the CA. I configure my local DNS to associate these domains with localhost.
Then I configure the web service to use the "fake" cert and visit fake.com.
It gives me an error "The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.", which is good, although for some reason the error is shown by Windows over the CA certificate:
Then I configure the web service to use the "valid" cert and visit valid.com, which is supposed to be accepted. But I get exactly the same error in the same conditions.
What is it going wrong in here?
