MicrosoftFWIW, it seems that Microsoft's implementation of adding name constraints with the certreq tool doesn't meet the RFC rules, and at least some non-Microsoft tools (Java 😎 don't work well when name constraints are added.
It looks like when you add name constraints, and you don't specify values for each type of constraint in the "permitted" section, certreq will add the missing types with an "wildcard." For instance, if you want to limit just the directory name, it still adds email and URL to the permitted section:
The problem is that Java chokes on these empty fields... the rfc8222 name (email) isn't allowed to be blank in the RFC, for instance.
[NameConstraintsPermitted]
DNS = .contoso.com
DIRECTORYNAME = "DC=corp, DC=contoso, DC=com"
----- What's added to the certificate:
DNS = .contoso.com
DIRECTORYNAME = "DC=corp, DC=contoso, DC=com"
email =
URL = /
IPAddress = The other issue is that although the MS documentation says that the DNS entries should look like:
DNS=.contoso.com
The RFC doesn't seem to allow the DNS to start with a . (though that is explicitly listed as valid in for URLs):
DNS name restrictions are expressed as host.example.com. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, www.host.example.com would satisfy the constraint but host1.example.com would not.