Windows XP and Name Constraints

Recently I blogged about how Windows XP processes Name Constraints a little different than the RFC specifies — with the help of a friend I have a good set of examples of what would work and what would not work that illustrate what it does.

Assuming our Subject was:

C = US;S = Washington;L = Kirkland;O = GlobalSign;CN =


And that our Constraint was:


     [1]Subtrees (0..Max):


We would see different results when validating a certificate on XP than we would on a later version of Windows.

Notice we did not include any directoryName attributes? That is supposed to mean that there is no constraints on the directoryName. On Windows XP however if you include a directory name in the subject there MUST be at least one Directory Name attribute in the RDN to match against otherwise it will not pass its Name Constraints check.

So if we instead made our constraint:


     [1]Subtrees (0..Max):


     [3]Subtrees (0..Max):

          Directory Address:

          C = US

          S = Washington

          L = Kirkland

          O = Globalsign



A certificate with the following subject would match:

  • An empty DN, no RDNs
  • C = US
  • C = US;S = Washington
  • C = US;S = Washington;L = Kirkland
  • C = US;S = Washington;L = Kirkland;O = Globalsign
  • C = US;S = Washington;L = Kirkland;O = Globalsign;CN =
  • C = US;S =””;L = Kirkland;O =””;CN =

When XP processes the RDNs it starts with the first and progresses from there. You can’t skip an RDN. If an RDN is present it must match the entire RDN value or be empty.

As such the following wouldn’t match in our example:

  • S = Washington (Skipped the first RDN)
  • C = US;L = Kirkland (Skipped the second RDN)
  •  C = US;S = Washington;L = Kirkland;O = Globalsign Development Center (partial “O” value).

The prior blog post on this topic I described before talks about how an enterprise can work around this behavior (by setting some registry keys) but a public certificate issuer can too, for example by inserting just one RDN value and ensuring the subordinate CA issues with that RDN value in its certificates.

This way a site can have the flexibility it wants to change its directory structure without re-issuing the certificate containing the Name Constraints.


7 thoughts on “Windows XP and Name Constraints

  1. Wahaj

    Hi Ryan,

    Nice article. Is this something specific to Windows XP only or something which you have also observed in other operating systems e.g. Windows 7 etc.


  2. Bentoy

    In a near future naitnoal public key infrastructures might be used to autenticate people. It can also be used for signing things and it even has legal value. With the new european citizen cards each citizen gets his own certificate that can be checked by acessing a state run keyserver. I already know of one university which allows people to remotely autenticate with the new citizen card. I even hope to see more mass deployments of it to solve the weak password problem.Of course this also is a danger because most people don’t understand the technology and will be using it from already compromised machines…But for the people which use it correctly it might be interesting.

    1. rmhrisk Post author

      These schemes have been in deployment for a long time and have seen little use given the technical constraints and poor implementations by the nation states and card manufacturers. I hope that that changes eventually, the work happening with eIDAS in the EU gives me some hope here. That said PKI will continue to be an important tool, especially in these deployments moving forward. One interesting angle on this is increasingly the devices users access the internet with do not have card readers or even usb ports, for example the iPhone, iPad, and the most modern laptops. For this reason increasingly these cards can not be used, at least as contact cards, for performing signing and encryption. I think we will see a move to alternate models as a result but only time will tell.

  3. David Earl


    The LetsEncrypt intermediate certificate currently fails on Windows XP apparently because of Name Constraints (we have determined that omitting that from the OpenSSL config lets it work). There, the constraint on the root is EXCLUDING .mil and 0 IPv4 and IPv6 addresses, where this artticle talks about PERMITTING. There doesn’t appear to be any DirectoryName, so I’m thinking this post is related to the problem.

    Can you shed any light?

    I hesitate to put too many links here, so just the main one:
    which references a GitHub issue which is worth looking at. The cnf file is in GitHub under jsha/sign-test as cross.cnf and the line in question reads:

    Perhaps you could contribute to that thread?

    (I’m just a fairly knowledgable LetsEncrypt user trying to find out why the certificates won’t work on XP.)


Leave a Reply

Your email address will not be published. Required fields are marked *