Related to this (too broad) question: How to implement my PKI?
I have a self-signed CA (
I would like to create a CA (
ca1) with limited power derived from that first CA.
ca1 should only be able to sign certificates for
*.foo.com and for
From this question, I found out that the
Name Constraints extension is probably what I want.
The key for
ca1 is already created and is
I already have an incomplete command for creating the request:
libressl req -new -sha512 -key ca1.foo.key.pem -out ca1.foo.csr.pem
What should I add to that line to limit ca1’s power to what I want?