Is there a way to limit what name spaces can be included in a SubjectAlternativeName extension/attribute of a certificate? Example: Allow anything.domainA.com, anything.domainB.com but do not allow anything.domainC.com Thanks, Paul

You can setup name constraints, but you would have to set up absolutely every name space that you will allow if you use includes. If you decide to use exclusions, you can explicitly deny domainc.com. The problem is that you have to renew the CA certificate any time you want to change the restrictions Brian

Brian, Thanks for the suggestion. I have a couple follow-ups if you don't mind: In a 2 tier hierarchy do you specify the name contraints at the RootCA or at the Enterprise IssuingCA? If I use "includes" does it exclude any name that is not listed in the include? If I needed to add another name space to the include contraint and as a result had to renew the CA certificate, what effect does that have on the previously issued certificates? Is there a best practice for renewing with the same key or new key for this scenario? Thank you! Paul

Brian, Another thought, could I utiilze a custom policy module? Thanks, Paul

1. The only time I ever implement name constraints is in a policy.inf when performing cross certification between organizations. I have never implemented them within an organization because invariably, an acquisition or name changes takes place. 2. You could try a custom policy module. FIM CM does do this and has both a subject module and a SAN module that can build customized names. I think this is a way better path to follow (bearing in mind that I am an architect, not a developer Brian