constraints plugin for
libstrongswan provides advanced constraint
checking for X.509 certificates that are defined in RFC 5280.
Currently the following constraints are enforced:
pathLenConstraint(see section 220.127.116.11 of RFC 5280): If an issuer certificate specifies a maximum path length, the plugin verifies that the trust path does not exceed it
nameConstraints(see section 18.104.22.168 of RFC 5280): Allows an issuer certificate to limit the name space within which all subject names in the trust path must be located
policyConstraints(see section 22.214.171.124 of RFC 5280): The plugin verifies the policy constraints specified by an issuer certificate
constraints plugin is enabled by default but may be disabled with the
The pki tool supports the creation of X.509 certificates containing one or several of the constraints defined above.