NameConstraints
NameConstraints is an X.509 v3 certificate extension used by certificate authorities to limit the set of names that may appear in certificates issued under a given CA. It enables an authority to define the scope of acceptable names for any subordinate certificates, thereby reducing the risk of certificates being issued for unintended domains, email addresses, or directory names.
The extension defines two optional fields: permittedSubtrees and excludedSubtrees. Each field contains a sequence of GeneralSubtree
Processing rules are applied during path validation. If permittedSubtrees is present, every name in a certificate’s
NameConstraints are defined in RFC 5280 and are commonly used in enterprise PKI and in some public