constraints Plugin
Purpose
The constraints plugin for libstrongswan provides advanced constraint
checking for X.509 certificates that are defined in RFC 5280.
Currently the following constraints are enforced:
-
pathLenConstraint(see section 4.2.1.9 of RFC 5280): If an issuer certificate specifies a maximum path length, the plugin verifies that the trust path does not exceed it -
nameConstraints(see section 4.2.1.10 of RFC 5280): Allows an issuer certificate to limit the name space within which all subject names in the trust path must be located -
policyConstraints(see section 4.2.1.11 of RFC 5280): The plugin verifies the policy constraints specified by an issuer certificate
The constraints plugin is enabled by default but may be disabled with the
./configure option
--disable-constraints
X.509 Certificates
The pki tool supports the creation of X.509 certificates containing one or several of the constraints defined above.