|
20 | 20 | <link rel=icon type='image/png' href='/blog/image/blog-30.png'> |
21 | 21 | <meta name=viewport content='width=device-width, initial-scale=1'> |
22 | 22 |
|
23 | | - |
24 | 23 | <script type='application/ld+json'> |
25 | 24 | { |
26 | 25 | "@context" : "https://schema.org", |
|
84 | 83 |
|
85 | 84 | config = mod.config; |
86 | 85 | cmd = mod.cmd; |
87 | | - log = mod.log; |
| 86 | + log = mod['log-mod']; |
88 | 87 |
|
89 | 88 |
|
90 | 89 | config.initmod({ext,$,datatype,menu}); |
|
224 | 223 | <body> |
225 | 224 |
|
226 | 225 |
|
227 | | - <blog-hdr component=grp1 v2.0> |
| 226 | + <blog-hdr component=grp1> |
228 | 227 | <h1 class=title> |
229 | 228 | Add Name Constraints To A x509 Certificate |
230 | 229 | </h1> |
|
250 | 249 | </div> |
251 | 250 | </p> |
252 | 251 | <h4> |
253 | | - 🔐 1. Enterprise Internal PKI |
| 252 | + 1. Enterprise Internal PKI |
254 | 253 | </h4> |
255 | 254 | <p> |
256 | 255 | In large organizations with internal CAs, you can use Name Constraints to restrict subordinate CAs to only issue certificates for internal domains like |
|
267 | 266 | This prevents accidental or malicious issuance for public domains like google.com or microsoft.com. |
268 | 267 | </p> |
269 | 268 | <h4> |
270 | | - 🧪 2. Testing and Development Environments |
| 269 | + 2. Testing and Development Environments |
271 | 270 | </h4> |
272 | 271 | <p> |
273 | 272 | When setting up a test CA for staging or dev environments, you can constrain it to: |
|
284 | 283 | This ensures test certificates can't be misused in production or public-facing systems. |
285 | 284 | </p> |
286 | 285 | <h4> |
287 | | - 🧭 3. Delegated Subordinate CA |
| 286 | + 3. Delegated Subordinate CA |
288 | 287 | </h4> |
289 | 288 | <p> |
290 | 289 | If you delegate certificate issuance to a third party (e.g., a partner or vendor), you can constrain their CA to only issue for: |
|
304 | 303 | This is especially useful in federated identity systems or multi-tenant infrastructure. |
305 | 304 | </p> |
306 | 305 | <h4> |
307 | | - 🛡️ 4. IoT Device Identity |
| 306 | + 4. IoT Device Identity |
308 | 307 | </h4> |
309 | 308 | <p> |
310 | 309 | For IoT deployments, constrain device certificates to: |
|
321 | 320 | This helps prevent rogue devices from impersonating others or accessing unauthorized networks. |
322 | 321 | </p> |
323 | 322 | <h4> |
324 | | - 📜 5. Regulatory Compliance |
| 323 | + 5. Regulatory Compliance |
325 | 324 | </h4> |
326 | 325 | <p> |
327 | 326 | In sectors like finance or healthcare, constraints can enforce strict boundaries: |
|
338 | 337 | This supports auditability and reduces risk in tightly regulated environments. |
339 | 338 | </p> |
340 | 339 | <h4> |
341 | | - 🧠 Summary |
| 340 | + Summary |
342 | 341 | </h4> |
343 | 342 | <p> |
344 | 343 | Name Constraints are like a firewall for your CA’s identity scope. They don’t just say “this CA can issue certificates”—they say “only for these names, and never for those.” Whether you're building a personal PKI, securing enterprise infrastructure, or sandboxing a delegated CA, they’re a powerful tool for trust hygiene. |
|
364 | 363 | </div> |
365 | 364 |
|
366 | 365 |
|
367 | | - <editor id=config component v2.0 fullsize src='ex/config.txt'></editor> |
| 366 | + <web-editor id=config fullsize src='ex/config.txt' component></web-editor> |
368 | 367 |
|
369 | | - <editor id=cmd component v2.0 fullsize src='ex/cmd.txt'></editor> |
| 368 | + <web-editor id=cmd fullsize src='ex/cmd.txt' component></web-editor> |
370 | 369 |
|
371 | 370 |
|
372 | 371 | <!-- |
|
390 | 389 | </div> |
391 | 390 |
|
392 | 391 |
|
393 | | - <log component v2.0></log> |
| 392 | + <log-mod component></log-mod> |
394 | 393 |
|
395 | 394 |
|
396 | 395 | </body> |
|
0 commit comments