I would like to use self-signed x509 certificates in our testing environment so I followed the process described in Ivan Ristic's "OpenSSL Cookbook". Great resource. I decided to go the private CA route as well.
However, Chrome complains that my site/https endpoint is unsecured with a "NET::ERR_CERT_AUTHORITY_INVALID" error. openssl s_client also raises a verify error:num=48:excluded subtree violation. Firefox gives me a "SEC_ERROR_CERT_NOT_IN_NAME_SPACE" error page.
I'm stumped as to why the excluded subtree violation? With my limited knowledge (first time using private CA functionality), I am probably wrong thinking my host.cnf has SAN hostnames that are permitted via the nameConstraints in my root-ca.conf? I appreciate any insights, corrections to my misunderstanding of openssl config files.
rfc5280 section "4.2.1.10. Name Constraints" states that:
DNS name restrictions are expressed as host.example.com. Any DNS
name that can be constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint. For
example, www.host.example.com would satisfy the constraint but
host1.example.com would not.
But I'm seeing many examples of SAN, nameConstraints which are using the leading dot notation – so I tried two DNS nameConstraints in my root-ca.conf. I'm desperate so I will assume either can be correct…
Gory details:
I set up my root-ca, sub-ca config files, created the corresponding CSRs, root-ca.crt, sub-ca.crt, via the following commands:
(on the target machine - but I haven't found any docs saying this is required)
openssl genrsa -aes128 -out host-private.key 2048
openssl req -new -key host-private.key -out host.csr -passin pass:XXXX -config host.cnf
Copied the host.csr over to my CA environment. I ran the following commands to create the root CA cert:
openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
to create the intermediate/subordinate CA cert:
openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
openssl ca -config root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
Then, created the host certificate:
openssl ca -config sub-ca.conf -in host.csr -out host.crt -extensions server_ext
I created a chain certificate for deployment into my nginx env. host.csr + sub-ca.crt + root-ca.crt
I also added the root-ca.crt into my host's CA trust store. I'm using nginx to serve as an SSL/TLS terminator reverse proxy for several internal services via the ngx_http_proxy module.
I also added the generated root-ca.crt into my Chrome installation's CE trust store.
The site information as displayed by Chrome has the root-ca, sub-ca, host certificates correctly in the certificate hierarchy.
host.cnf:
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
# the use of -passin overrides this
input_password = PASSPHRASE
[dn]
CN = rt168openmbee.serc.stevens.edu
emailAddress = shespelt@stevens.edu
O = SERC
L = Hoboken
ST = NJ
C = US
[ext]
subjectAltName = DNS:rt168openmbee.serc.stevens.edu,IP:155.246.39.32
root-ca.conf:
[default]
name = root-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Root CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=serc.stevens.edu
permitted;DNS.1=.serc.stevens.edu
permitted;IP.0=155.246.39.0/255.255.255.0
excluded;IP.1=0.0.0.0/0.0.0.0
excluded;IP.2=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
noCheck = yes
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
sub-ca.conf:
[default]
name = sub-ca
domain_suffix = serc.stevens.edu
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "US"
organizationName = "SERC"
commonName = "Sub CA"
[ca_default]
home = .
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
using openssl s_client -showcerts -connect, here are the retrieved certs (saved PEM certs run through openssl x509 -text …).
host certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
29:d9:fb:61:7a:0f:ba:c3:51:28:a3:05:14:df:8a:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Sub CA
Validity
Not Before: Jul 18 19:52:13 2019 GMT
Not After : Jul 17 19:52:13 2020 GMT
Subject: C = US, ST = NJ, O = SERC, CN = rt168openmbee.serc.stevens.edu, emailAddress = shespelt@stevens.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:19:1f:2b:2a:54:bc:7a:78:1c:13:33:09:8e:
12:e1:b5:f8:7c:58:f8:29:7e:b4:45:45:6b:5a:3f:
ac:41:f6:d6:bf:4a:08:77:a6:a0:94:dd:26:68:ed:
8a:ec:fc:e9:3e:db:98:45:0c:cf:8a:09:d6:46:14:
a7:bb:d2:f0:da:dd:db:7c:ed:31:7b:20:f7:7d:f0:
f9:13:1a:45:1b:ab:90:79:a7:d7:60:d2:94:70:0e:
79:4c:03:23:c0:b6:f7:dc:93:b4:c7:eb:6e:69:f1:
58:6c:14:07:98:4e:56:9d:01:39:d6:a1:be:da:a5:
76:83:aa:68:30:65:51:23:96:99:fe:05:9c:a7:61:
64:30:b1:f6:38:33:70:6d:8b:25:ce:d9:93:6e:b0:
5e:84:e8:71:4b:55:62:64:f1:6b:b4:ed:7b:dd:b7:
d9:b2:4a:24:29:bb:3b:ad:59:cc:4d:fb:84:6a:91:
45:e7:f1:cc:21:48:40:42:83:03:1e:07:6d:3f:c2:
a6:bf:8f:76:db:f8:9c:a2:a9:88:71:81:f5:d6:48:
d9:17:d9:0d:bb:9d:c5:24:bb:d8:58:93:85:1c:5f:
a4:39:df:8f:d6:9a:2a:2f:9c:34:bb:28:f0:87:fe:
df:9d:41:8a:0b:f6:c5:a3:0c:4c:6c:e1:f4:a6:89:
23:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.serc.stevens.edu/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.serc.stevens.edu:9081
X509v3 Authority Key Identifier:
keyid:FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.serc.stevens.edu/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
4F:60:83:45:A3:32:DB:C4:5C:AD:C1:BD:69:09:AF:E2:55:13:1A:6A
X509v3 Subject Alternative Name:
DNS:rt168openmbee.serc.stevens.edu, IP Address:155.246.39.32
Signature Algorithm: sha256WithRSAEncryption
07:d1:b6:ab:5d:b4:8a:f7:77:3c:57:06:f3:7c:69:a9:fa:85:
d0:04:b6:3b:24:2b:32:9f:31:4e:33:3b:a9:ed:d8:3e:8a:cf:
aa:19:be:84:86:42:86:9c:d3:c4:a6:35:2e:87:b5:10:40:d2:
05:92:13:e1:e6:00:cc:42:f9:55:ff:14:ba:3e:0e:d8:3c:9b:
d6:47:19:27:61:d3:c1:a4:9f:a9:80:c7:ae:68:c1:bf:a1:3c:
fd:c6:cc:df:16:4e:0b:ca:22:3e:d1:5f:b6:9f:ee:38:84:3b:
65:4d:86:d5:f3:df:03:7a:e1:13:ad:1e:62:8c:ad:ca:3c:d4:
78:89:8a:91:c9:a8:85:58:fa:78:49:ff:94:b5:37:68:72:89:
18:94:d7:08:ec:62:40:a5:35:1d:93:2c:7b:bf:b7:f1:b4:0f:
57:a7:17:69:8d:fb:a4:7d:1f:7b:bd:8c:f6:32:a9:6a:e4:04:
64:89:05:55:ee:43:cf:a3:51:67:35:6c:84:16:62:d3:6e:57:
de:0b:e9:fb:e3:11:a7:ed:94:9e:1e:ef:ec:5f:c4:03:33:cf:
0c:00:5c:8b:9f:ad:4e:b2:89:01:9f:be:49:9d:51:b8:2f:ba:
f3:9d:70:80:69:e3:bf:95:d6:a3:07:ee:fa:8b:84:ac:78:50:
7c:f3:08:0c
intermediate CA certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:49:50 2019 GMT
Not After : Jul 15 19:49:50 2029 GMT
Subject: C = US, O = SERC, CN = Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:90:03:fa:85:91:b7:0a:72:6c:0c:81:aa:6d:
19:c1:d6:40:a5:f9:c5:28:35:ce:d6:e1:70:ea:eb:
80:54:2b:ad:87:e5:67:b1:6c:94:df:14:e7:97:9f:
1d:00:a3:db:96:48:e1:76:6f:06:bf:3d:27:f8:62:
74:90:75:95:3c:f2:5d:40:d4:1b:11:61:f0:52:db:
9a:d9:7f:4e:04:76:7f:fa:4e:c2:f2:00:fc:79:fb:
0c:51:aa:b8:39:5a:9c:73:b5:1f:04:cd:76:5c:7b:
a2:4b:41:3e:14:47:e9:d4:b1:b5:46:3b:05:05:99:
cc:63:1e:d8:1c:3d:4a:5a:b4:23:23:3e:39:8a:78:
05:1a:44:ba:fd:a4:b5:98:05:a4:e0:b8:d8:f1:3a:
0a:09:54:2d:4d:db:09:df:88:1c:b4:73:a5:a7:41:
5d:f8:a8:ec:fc:52:b1:6f:36:22:1c:3e:e7:66:93:
90:a7:dc:32:50:21:60:31:57:51:09:76:50:15:f7:
fc:4e:b9:05:ae:b6:93:2e:f4:b0:44:aa:3c:73:a7:
1c:c5:87:d9:54:81:f3:97:42:df:08:77:0b:5d:dd:
01:04:be:5e:1a:94:57:4b:82:65:71:91:3b:ad:58:
82:b7:55:e7:c9:7e:ed:fd:59:0f:83:48:1a:33:d4:
95:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.serc.stevens.edu/root-ca.crt
OCSP - URI:http://ocsp.root-ca.serc.stevens.edu:9080
X509v3 Authority Key Identifier:
keyid:F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.serc.stevens.edu/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:serc.stevens.edu
DNS:.serc.stevens.edu
IP:155.246.39.0/255.255.255.0
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
FB:BB:13:DE:9C:C7:5F:B4:07:2C:03:3D:35:59:CC:B4:9F:8F:FA:1F
Signature Algorithm: sha256WithRSAEncryption
ab:93:26:fa:85:ae:72:fa:e3:2d:65:9a:10:a5:c8:cc:e2:1c:
c6:4d:40:53:80:c2:6f:67:24:4e:29:23:b9:75:6e:2f:7f:ce:
7e:fb:2c:64:e8:e6:90:13:2d:39:da:13:3f:a9:71:5b:72:b1:
3b:11:e5:aa:98:e6:cc:47:a7:95:dc:7a:c0:27:2f:52:1e:08:
1f:34:b5:ab:1d:16:53:89:d4:b4:8a:d9:f7:ca:4d:7a:5a:bc:
9a:16:ed:45:5d:18:2a:50:0b:57:12:ea:23:8a:b8:f1:2b:26:
5b:1a:e8:7b:35:37:de:22:8f:cf:ae:f6:4f:7f:3e:88:0b:21:
40:40:46:53:ad:83:6a:3a:26:ba:0e:28:ba:0c:8d:04:56:e3:
59:d5:7d:13:06:d2:89:b1:5c:50:0c:54:60:09:bc:22:b8:96:
e8:42:8c:a6:dd:47:86:6f:16:bd:a9:45:3f:b6:f1:4d:58:82:
cf:e9:e2:e2:be:2b:2d:97:e5:0d:df:24:09:96:95:1d:1a:08:
94:87:73:6c:61:1a:70:36:ae:55:79:a8:ae:58:66:0d:2a:94:
32:27:91:bb:0a:5c:2f:64:b8:fe:a2:5f:3d:f7:d9:66:a9:2a:
e4:6b:9b:7f:66:ba:7a:61:e6:57:4f:c8:8b:5c:74:d7:0b:db:
a3:cb:d2:97:50:95:6f:34:64:24:ce:7a:0b:c3:dd:3a:7c:81:
d1:48:5e:74:af:7f:9c:fc:73:3b:01:b9:a9:d7:67:87:7b:81:
b0:99:9b:a5:29:1d:97:bb:70:61:48:32:13:e8:20:da:f5:7a:
96:2b:c0:04:1f:b2:27:a3:cb:35:a0:63:08:e3:5b:8e:ae:87:
60:c9:85:9e:b7:4a:a7:12:8f:81:3b:7d:5b:00:05:be:54:bd:
49:4e:1c:73:0e:c7:51:27:40:82:63:e4:48:d5:94:f3:63:53:
a1:84:5c:ca:3a:91:94:ca:23:de:65:48:5b:ff:7e:e6:79:8b:
a1:bf:c0:2d:9f:91:b5:c5:66:3c:58:e8:b8:e9:8f:81:18:cb:
7e:eb:46:4b:59:5d:d1:34:74:3f:92:c4:0d:9e:4a:ec:25:f4:
48:f4:d8:c9:a1:8f:72:2f:a5:8b:a2:14:16:f1:84:41:9b:df:
85:99:62:af:50:ab:c0:4d:4c:a9:7a:d0:31:24:4f:04:00:e3:
16:bb:53:08:fa:66:8b:d5:15:2b:22:62:ac:64:38:c2:2f:c0:
fa:ad:a1:be:b6:67:f6:f6:ac:af:a4:33:ea:4a:a0:8d:49:ad:
35:3c:6f:ae:b3:b6:a0:e6:84:df:32:36:46:73:48:26:28:a2:
10:9a:d2:2c:85:48:d7:d4
root CA certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:79:79:cc:2e:ca:7e:42:21:43:8a:fa:ba:fa:6f:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SERC, CN = Root CA
Validity
Not Before: Jul 18 19:47:30 2019 GMT
Not After : Jul 15 19:47:30 2029 GMT
Subject: C = US, O = SERC, CN = Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:c7:6a:ca:cb:b6:3b:23:63:f4:21:32:37:a6:b8:
ed:34:0a:06:38:06:7a:cf:3a:0a:6e:36:ef:81:d0:
01:2d:e7:ea:dc:d9:46:d7:45:f3:ed:84:ed:7e:20:
6a:e2:00:34:43:4e:2a:fc:2b:53:ef:d2:af:1e:25:
c9:ed:e0:34:d0:9a:03:c2:50:16:46:96:89:cb:6d:
43:b4:17:61:49:07:53:85:62:d6:27:b5:0a:b0:87:
3b:b6:e3:ba:f7:b9:35:77:37:bb:ae:a8:7e:04:0f:
54:e2:b3:26:b0:3f:65:01:27:fc:dc:ac:b6:3a:a4:
d0:ea:6a:d2:f5:c5:7c:be:43:0f:41:d1:9d:1c:1c:
61:e1:ba:af:03:95:30:10:a9:3d:52:64:ce:70:40:
bd:dc:0d:53:35:00:c1:e9:e1:68:fd:f5:d5:d1:a1:
e4:c7:c7:22:fb:56:6f:a6:e1:ea:48:e8:61:fb:8c:
76:28:8a:4e:18:84:ab:f3:9b:d5:49:7c:04:40:15:
83:4d:26:2b:33:92:84:7e:f2:75:1b:0b:4c:d6:54:
c3:f2:4a:9f:13:72:ab:9c:92:a4:42:77:99:00:25:
91:c1:b6:87:bd:fa:f1:07:f0:ce:72:0f:3c:be:bc:
79:58:f6:8b:6e:07:bc:5d:ee:23:be:0d:d5:d6:91:
22:f4:73:1b:4f:5f:cc:82:87:57:61:50:96:8c:69:
0b:ae:f7:40:47:7c:62:4e:2e:77:3e:8c:f1:41:7d:
e8:64:d5:bf:24:36:99:bb:0c:46:0e:28:7b:52:95:
7d:b8:f2:e5:91:0d:07:ea:cb:9c:9d:08:dd:1f:e2:
3a:02:6a:5b:36:d1:ff:b9:0f:a4:08:ed:12:38:7a:
0b:a1:68:7e:be:b1:bb:90:e2:6a:9f:33:8f:d4:d2:
8b:ba:84:db:f9:c6:d7:94:19:d5:cd:db:ce:b3:ba:
53:36:51:9a:16:12:57:f9:16:27:1e:23:3b:09:c0:
2b:d8:f3:cf:d7:d2:ec:2d:b0:fd:bf:dc:85:7d:cb:
9d:cc:e1:70:0d:2a:fd:43:4f:48:3d:89:09:33:2e:
6b:e8:f0:ba:ca:21:9c:32:79:a2:64:e1:dc:75:8b:
ed:0b:32:50:5b:b1:b5:0b:11:7a:d4:f0:d9:df:f7:
61:04:4a:c5:41:c7:0e:cb:e5:c7:1a:3c:6e:7b:63:
8b:bd:e5:f2:99:c8:2e:5c:e4:ed:a0:1d:b4:c1:64:
b8:71:27:23:23:2f:93:54:b4:d8:99:b5:a4:35:7b:
dd:82:ef:b4:ee:d4:fb:f4:91:58:af:5e:f2:8f:37:
9d:5a:9f:62:99:f9:26:31:d8:74:08:71:2f:bc:1d:
40:a6:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
F1:86:94:29:A7:F0:AF:A2:CF:CC:A2:A6:D4:63:B1:02:0A:36:7E:83
Signature Algorithm: sha256WithRSAEncryption
16:77:4d:7b:ef:89:3d:31:45:07:8f:a3:c4:ad:ed:89:a0:9b:
b6:ab:74:59:1a:fb:7b:48:e1:e0:3c:75:73:dc:e3:e2:1b:a3:
74:a1:0d:37:ea:ac:85:fb:1c:e0:86:f1:86:ee:78:51:fd:4d:
58:04:8b:5c:6b:b3:06:1c:07:04:a1:c5:51:a9:d1:4c:24:42:
7c:ef:1e:35:c5:df:00:79:44:91:a1:f5:cb:71:5b:a7:85:b1:
f3:36:3c:75:e7:f8:d5:29:85:18:2e:ff:79:e1:eb:1f:72:24:
6a:36:a4:17:4e:76:4d:5d:d1:85:c4:18:c3:f4:83:07:10:3f:
7a:e2:36:33:48:1d:da:5d:08:2a:59:4f:3a:97:74:b7:d8:97:
85:b0:b1:82:f8:46:d5:df:75:d9:56:77:34:0e:26:d5:3a:eb:
8b:02:5e:d1:c3:fd:16:22:1f:ab:86:76:c4:cf:5b:d5:d5:bd:
da:70:76:9e:18:bd:2f:16:c0:89:fe:cc:e0:93:63:f0:23:65:
37:4c:6c:f5:e4:a7:fd:b2:02:86:91:6a:f5:31:b2:93:cc:33:
87:38:57:6b:55:59:7e:ed:02:13:5d:6f:4f:15:91:ac:7e:7f:
52:57:35:de:ec:87:38:bf:fe:7e:bd:5d:3c:ef:43:a9:d1:13:
ab:ed:6f:ac:cf:bf:7e:e8:35:0b:92:97:08:05:78:db:68:e0:
b1:05:2a:49:6e:00:34:71:a5:0f:5b:1c:17:47:9e:23:6f:64:
d7:f0:93:60:12:7f:6d:0a:cd:15:e7:de:72:c4:76:86:ef:4d:
65:c6:2a:1a:c4:35:0e:08:07:c5:ee:34:aa:9e:e1:90:d4:66:
87:0f:1f:32:fa:21:7e:4f:01:9b:6d:19:20:ed:e5:9d:1a:ee:
b3:e6:c4:93:4b:a4:cc:62:db:65:c1:b9:3b:05:a8:45:38:87:
29:6d:8c:86:86:7b:c5:3d:89:85:c8:8e:f5:da:7d:c5:89:31:
49:7b:af:9e:ff:03:89:db:ac:65:c5:5f:78:0d:cf:91:6f:19:
6a:e4:eb:b6:d5:46:ff:3b:8c:44:cd:00:7b:3c:ed:6f:f6:79:
61:93:12:08:58:7c:d5:02:9b:a7:4c:a0:c6:1a:f8:d9:b1:b6:
1e:77:75:1d:24:e8:d2:ff:61:ee:a8:85:e5:1b:49:cf:3c:91:
56:ea:e5:0e:6e:39:96:d0:d4:b7:95:25:e3:1a:a3:82:26:c8:
3f:53:47:fe:93:10:c4:bf:91:b5:7d:40:d2:2e:22:8e:7f:e5:
8a:4c:6e:03:04:de:f7:81:95:fc:a9:0f:31:51:ab:21:9d:20:
06:64:c2:9e:41:db:07:86
Best Answer
Your server certificate is invalid, because you have excluded its IP address in the CA cert. Here is the relevant text from RFC5280:
Just drop the exluded part of you CA certificate and everything should work. If the name constraints contain only a permitted section, all other names will be disallowed anyway.
Read this blog post for a good explanation on how the subtrees are processed.