Hi, the x509v3_config manpage tells me
The name constraints extension is a multi-valued extension. The name should begin with the word permitted or excluded followed by a ;. The rest of the name and the value follows the syntax of subjectAltName except email:copy is not supported and the IP form should consist of an IP addresses and subnet mask separated by a /. >From what I understand, nameConstraints is only used for CAs and defines what ranges this CA may or may not sign for. If I am mistaken, please disregard this email. If I am not mistaken, it would probably good to adapt the manpage to be clearer. Thanks, Richard ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]