Subject distinguished name is not from a permitted subtree

Hello,

today we discover a certificate in our Ciphermail certificate store
which is not usable for encryption because of the error "Error
building certPath. Subject distinguished name is not from a permitted
subtree". Indeed there are name constraints in a sub-CA used but i can
not figure out what the actual problem is because it actually should
match the mailadress with is xxxxx(a)ford.com

This is from the upper level issuing CA:

Zugelassen
      [1]Unterstrukturen (0..Max):
           RFC822-Name=.ach-llc2.com
      [2]Unterstrukturen (0..Max):
           RFC822-Name=.cotarko.com
      [3]Unterstrukturen (0..Max):
           RFC822-Name=.european-llp.com
      [4]Unterstrukturen (0..Max):
           RFC822-Name=.first-aquitaine.com
      [5]Unterstrukturen (0..Max):
           RFC822-Name=.fmcc.ch
      [6]Unterstrukturen (0..Max):
           RFC822-Name=.ford-alliance.com
      [7]Unterstrukturen (0..Max):
           RFC822-Name=.ford.com
      [8]Unterstrukturen (0..Max):
           RFC822-Name=.fordcredit.com
      [9]Unterstrukturen (0..Max):
           RFC822-Name=.forsonordic.com
      [10]Unterstrukturen (0..Max):
           RFC822-Name=.lincoln.com
      [11]Unterstrukturen (0..Max):
           RFC822-Name=.lincolnafs.com
      [12]Unterstrukturen (0..Max):
           RFC822-Name=.troydm.com
      [13]Unterstrukturen (0..Max):
           RFC822-Name=.volvoautobank.de
      [14]Unterstrukturen (0..Max):
           RFC822-Name=ach-llc2.com
      [15]Unterstrukturen (0..Max):
           RFC822-Name=cotarko.com
      [16]Unterstrukturen (0..Max):
           RFC822-Name=european-llp.com
      [17]Unterstrukturen (0..Max):
           RFC822-Name=first-aquitaine.com
      [18]Unterstrukturen (0..Max):
           RFC822-Name=fmcc.ch
      [19]Unterstrukturen (0..Max):
           RFC822-Name=ford-alliance.com
      [20]Unterstrukturen (0..Max):
           RFC822-Name=ford.com
      [21]Unterstrukturen (0..Max):
           RFC822-Name=fordcredit.com
      [22]Unterstrukturen (0..Max):
           RFC822-Name=forsonordic.com
      [23]Unterstrukturen (0..Max):
           RFC822-Name=lincoln.com
      [24]Unterstrukturen (0..Max):
           RFC822-Name=lincolnafs.com
      [25]Unterstrukturen (0..Max):
           RFC822-Name=troydm.com
      [26]Unterstrukturen (0..Max):
           RFC822-Name=volvoautobank.de
      [27]Unterstrukturen (0..Max):
           DNS-Name=ford.com
      [28]Unterstrukturen (0..Max):
           Verzeichnisadresse:
                S=Michigan
                L=Dearborn
                O=Ford Motor Company
                C=US
      [29]Unterstrukturen (0..Max):
           Verzeichnisadresse:
                DC=ford
                DC=com
Ausgeschlossen
      [1]Unterstrukturen (0..Max):
           IP-Adresse=0.0.0.0
           Maske=0.0.0.0
      [2]Unterstrukturen (0..Max):
           IP-Adresse=0000:0000:0000:0000:0000:0000:0000:0000
           Mask=0000:0000:0000:0000:0000:0000:0000:0000

Any idea what could be wrong here?

Thanks

Andreas

Hi Andreas,

Could you send me the complete chain off-list so I can have a look at it?

Kind regards,

Martijn Brinkers

···

On 11/20/2015 11:53 AM, lst_hoe02(a)kwsoft.de wrote:

Hello,

today we discover a certificate in our Ciphermail certificate store
which is not usable for encryption because of the error "Error building
certPath. Subject distinguished name is not from a permitted subtree".
Indeed there are name constraints in a sub-CA used but i can not figure
out what the actual problem is because it actually should match the
mailadress with is xxxxx(a)ford.com

This is from the upper level issuing CA:

Zugelassen
     [1]Unterstrukturen (0..Max):
          RFC822-Name=.ach-llc2.com
     [2]Unterstrukturen (0..Max):
          RFC822-Name=.cotarko.com
     [3]Unterstrukturen (0..Max):
          RFC822-Name=.european-llp.com
     [4]Unterstrukturen (0..Max):
          RFC822-Name=.first-aquitaine.com
     [5]Unterstrukturen (0..Max):
          RFC822-Name=.fmcc.ch
     [6]Unterstrukturen (0..Max):
          RFC822-Name=.ford-alliance.com
     [7]Unterstrukturen (0..Max):
          RFC822-Name=.ford.com
     [8]Unterstrukturen (0..Max):
          RFC822-Name=.fordcredit.com
     [9]Unterstrukturen (0..Max):
          RFC822-Name=.forsonordic.com
     [10]Unterstrukturen (0..Max):
          RFC822-Name=.lincoln.com
     [11]Unterstrukturen (0..Max):
          RFC822-Name=.lincolnafs.com
     [12]Unterstrukturen (0..Max):
          RFC822-Name=.troydm.com
     [13]Unterstrukturen (0..Max):
          RFC822-Name=.volvoautobank.de
     [14]Unterstrukturen (0..Max):
          RFC822-Name=ach-llc2.com
     [15]Unterstrukturen (0..Max):
          RFC822-Name=cotarko.com
     [16]Unterstrukturen (0..Max):
          RFC822-Name=european-llp.com
     [17]Unterstrukturen (0..Max):
          RFC822-Name=first-aquitaine.com
     [18]Unterstrukturen (0..Max):
          RFC822-Name=fmcc.ch
     [19]Unterstrukturen (0..Max):
          RFC822-Name=ford-alliance.com
     [20]Unterstrukturen (0..Max):
          RFC822-Name=ford.com
     [21]Unterstrukturen (0..Max):
          RFC822-Name=fordcredit.com
     [22]Unterstrukturen (0..Max):
          RFC822-Name=forsonordic.com
     [23]Unterstrukturen (0..Max):
          RFC822-Name=lincoln.com
     [24]Unterstrukturen (0..Max):
          RFC822-Name=lincolnafs.com
     [25]Unterstrukturen (0..Max):
          RFC822-Name=troydm.com
     [26]Unterstrukturen (0..Max):
          RFC822-Name=volvoautobank.de
     [27]Unterstrukturen (0..Max):
          DNS-Name=ford.com
     [28]Unterstrukturen (0..Max):
          Verzeichnisadresse:
               S=Michigan
               L=Dearborn
               O=Ford Motor Company
               C=US
     [29]Unterstrukturen (0..Max):
          Verzeichnisadresse:
               DC=ford
               DC=com
Ausgeschlossen
     [1]Unterstrukturen (0..Max):
          IP-Adresse=0.0.0.0
          Maske=0.0.0.0
     [2]Unterstrukturen (0..Max):
          IP-Adresse=0000:0000:0000:0000:0000:0000:0000:0000
          Mask=0000:0000:0000:0000:0000:0000:0000:0000

Any idea what could be wrong here?

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

Twitter: http://twitter.com/CipherMail