constraints Plugin


The constraints plugin for libstrongswan provides advanced constraint checking for X.509 certificates that are defined in RFC 5280.

Currently the following constraints are enforced:

  • pathLenConstraint (see section of RFC 5280): If an issuer certificate specifies a maximum path length, the plugin verifies that the trust path does not exceed it

  • nameConstraints (see section of RFC 5280): Allows an issuer certificate to limit the name space within which all subject names in the trust path must be located

  • policyConstraints (see section of RFC 5280): The plugin verifies the policy constraints specified by an issuer certificate

The constraints plugin is enabled by default but may be disabled with the ./configure option


X.509 Certificates

The pki tool supports the creation of X.509 certificates containing one or several of the constraints defined above.