A trusted certificate in CTL
may contain a name constraint extension. This extension defines a namespace for
values of all subject name and subject alternative name fields of subsequent
certificates in a certificate chain. Cisco ISE does not check constraints
specified in a root certificate.
The following name
constraints are supported:
-
Directory name
The Directory name constraint
should be a prefix of the directory name in subject/SAN. For example,
-
Correct subject prefix:
CA certificate name
constraint: Permitted: O=Cisco
Client certificate subject:
O=Cisco,CN=Salomon
-
Incorrect subject prefix:
CA certificate name
constraint: Permitted: O=Cisco
Client certificate subject:
CN=Salomon,O=Cisco
-
DNS
-
E-mail
-
URI (The URI constraint must
start with a URI prefix such as http://, https://, ftp://, or ldap://).
The following name
constraints are not supported:
When a trusted certificate
contains a constraint that is not supported and certificate that is being
verified does not contain the appropriate field, it is rejected because Cisco
ISE cannot verify unsupported constraints.
The following is an example
of the name constraints definition within the trusted certificate:
X509v3 Name Constraints: critical
Permitted:
othername:<unsupported>
email:.abcde.at
email:.abcde.be
email:.abcde.bg
email:.abcde.by
DNS:.dir
DirName: DC = dir, DC = emea
DirName: C = AT, ST = EMEA, L = AT, O = ABCDE Group, OU = Domestic
DirName: C = BG, ST = EMEA, L = BG, O = ABCDE Group, OU = Domestic
DirName: C = BE, ST = EMEA, L = BN, O = ABCDE Group, OU = Domestic
DirName: C = CH, ST = EMEA, L = CH, O = ABCDE Group, OU = Service Z100
URI:.dir
IP:172.23.0.171/255.255.255.255
Excluded:
DNS:.dir
URI:.dir
An acceptable client
certificate subject that matches the above definition is as follows:
Subject: DC=dir, DC=emea, OU=+DE, OU=OU-Administration, OU=Users, OU=X1, CN=cwinwell