Template variables

[Gabgobie]

I'm looking for a reliable and predictable way to get constrained certificates for my domain. The more constrained my CA, the easier it is for others to trust my CA and have a good experience in my network. No need to worry about this CA signing anything outside of there.

The general Idea is to have a Root CA that is constrained to the following name constraints.

• DNS: example.com
• DNS: .example.com
• email: example.com
• email: .example.com
• DirectoryName:O=Example

With sub certificate authorities being responsible for their respective subdomain. For example the dev subnet would get the dev subdomain and it's own CA. The Plan would be that the template then takes the values from the root ca and asks for the subdomain so I can get the following constraints.

• DNS: dev.example.com
• DNS: .dev.example.com
• email: dev.example.com
• email: .dev.example.com
• DirectoryName:O=Example

This behavior should continue through the entire chain.

Furthermore I'd like to specify that if I enter an OU - for example Development - in the DistinguishedName mask, that should be added to the constraints so the subtree MUST keep these (or at least cannot use other) elements of the DistinguishedName.

• DirectoryName:O=Example;OU=Development

The best solution I could come up with would be to have scripting features in the templates that, when used, cause XCA to raise another mask to fill in required and optional variables. I could see this being a significant burden in terms of development though. I am open for suggestions of any kind.

Best,
Gab