Are X.509 nameConstraints on certificates supported on OS X?

No. Apple does not support this.

Apple's Secure Transport library does not support X.509's nameConstraints.

There is a bug in Chromium's bug database about this. And it's been closed as WontFix. Developer Ryan Sleevi had this to say on Aug 25, 2014 (archived here):

Chrome defers to the OS cryptographic stack for verification.

It's a well-known, long-standing issue that Apple does not implement name constraints. This applies to all applications that use OS X's SSL or certificate verification libraries (e.g. Safari, Curl, Python, etc)

Should name constraints be present on a subordinate CA issued to an organization?
Which properties of a X.509 certificate should be critical and which not?
http://karl.kornel.us/2014/09/cas-name-constraints-and-a-business-opportunity/

Yes, OS X / macOS supports this since 10.13.3.

According to the https://nameconstraints.bettertls.com archived tests, 10.13 failed some tests but 10.13.3 passes all in with both Safari and Chrome.

This fit's the timeline release notes for macOS 10.13.3 which lists the following fix¹

Description: A certificate evaluation issue existed in the handling of name constraints. This issue was addressed with improved trust evaluation of certificates.

Firefox who uses it's own internal TLS passes since at least version 50.

This also matches lxgr's comment about it working on 10.15.4 comment and my test today on 10.14.6

^{¹as pointed out by Joe Lee-Moyet in the comments}

Are X.509 nameConstraints on certificates supported on OS X?

No. Apple does not support this.

Related

Yes, OS X / macOS supports this since 10.13.3.

Tags:

Macos

Certificates

X.509

Chrome

Related

Recent Posts