The constraints plugin provides advanced constraint checking for X.509 certificates. It is enabled by default.
The plugin currently enforces the following constraints:
- pathLenConstraint: if an issuer certificate specifies a maximum path length, the plugin verifies that the trust path does not exceed it
- nameConstraints: allows an issuer certificate to limit the name space within all subject names in the trust path shall be located
- policyConstraints: the plugin verifies the policy constraints specified by an issuer certificate
Details on these constraints can be found in RFC 5280.
The ipsec pki tool supports the creation of X.509 certificates containing these constraints.