Comment by ArchOversight

3 years ago

Apple devices support the Name Constraint extension just fine. I've deployed a bunch of internal CA's with Name Constraint and Apple's macOS/iOS/iPadOS block certs that are signed for anything outside of the constraints. As is intended.

AFAIK the Apple bug was fixed in macOS 10.13.3 from what I can find online. [1]

[1]: https://security.stackexchange.com/questions/95600/are-x-509...

2 comments

ArchOversight

Reply
infogulch  3 years ago

That's great to hear! I'd only heard secondhand, so I updated my comment to reflect this detail.

Also I found https://bettertls.com publishes details about which TLS features are supported on different platforms over time, and it appears that the latest test in Dec 2021 shows most platforms support name constraints.

With that roadblock evaporated, I think this would be the perfect solution to a lot of organization- and homelab-level certificate woes. I'd really like to hear from a domain expert on how feasible it would be to automate for free public certs, ACME-style.

  • wolrah  3 years ago

    I'm happy to see that a big name like Netflix is getting behind this. I've been wishing for better Name Constraints support ever since learning how certificates work. Almost every situation where someone currently uses a wildcard could be done better with a name constrained CA cert.

    I would love for this to become as widely supported as wildcards so those who choose to use them could do so easily.