Subject distinguished name is not from a permitted subtree

Hello,

today we discover a certificate in our Ciphermail certificate store
which is not usable for encryption because of the error "Error
building certPath. Subject distinguished name is not from a permitted
subtree". Indeed there are name constraints in a sub-CA used but i can
not figure out what the actual problem is because it actually should
match the mailadress with is xxxxx(a)ford.com

This is from the upper level issuing CA:

Zugelassen
      [1]Unterstrukturen (0..Max):
           RFC822-Name=.ach-llc2.com
      [2]Unterstrukturen (0..Max):
           RFC822-Name=.cotarko.com
      [3]Unterstrukturen (0..Max):
           RFC822-Name=.european-llp.com
      [4]Unterstrukturen (0..Max):
           RFC822-Name=.first-aquitaine.com
      [5]Unterstrukturen (0..Max):
           RFC822-Name=.fmcc.ch
      [6]Unterstrukturen (0..Max):
           RFC822-Name=.ford-alliance.com
      [7]Unterstrukturen (0..Max):
           RFC822-Name=.ford.com
      [8]Unterstrukturen (0..Max):
           RFC822-Name=.fordcredit.com
      [9]Unterstrukturen (0..Max):
           RFC822-Name=.forsonordic.com
      [10]Unterstrukturen (0..Max):
           RFC822-Name=.lincoln.com
      [11]Unterstrukturen (0..Max):
           RFC822-Name=.lincolnafs.com
      [12]Unterstrukturen (0..Max):
           RFC822-Name=.troydm.com
      [13]Unterstrukturen (0..Max):
           RFC822-Name=.volvoautobank.de
      [14]Unterstrukturen (0..Max):
           RFC822-Name=ach-llc2.com
      [15]Unterstrukturen (0..Max):
           RFC822-Name=cotarko.com
      [16]Unterstrukturen (0..Max):
           RFC822-Name=european-llp.com
      [17]Unterstrukturen (0..Max):
           RFC822-Name=first-aquitaine.com
      [18]Unterstrukturen (0..Max):
           RFC822-Name=fmcc.ch
      [19]Unterstrukturen (0..Max):
           RFC822-Name=ford-alliance.com
      [20]Unterstrukturen (0..Max):
           RFC822-Name=ford.com
      [21]Unterstrukturen (0..Max):
           RFC822-Name=fordcredit.com
      [22]Unterstrukturen (0..Max):
           RFC822-Name=forsonordic.com
      [23]Unterstrukturen (0..Max):
           RFC822-Name=lincoln.com
      [24]Unterstrukturen (0..Max):
           RFC822-Name=lincolnafs.com
      [25]Unterstrukturen (0..Max):
           RFC822-Name=troydm.com
      [26]Unterstrukturen (0..Max):
           RFC822-Name=volvoautobank.de
      [27]Unterstrukturen (0..Max):
           DNS-Name=ford.com
      [28]Unterstrukturen (0..Max):
           Verzeichnisadresse:
                S=Michigan
                L=Dearborn
                O=Ford Motor Company
                C=US
      [29]Unterstrukturen (0..Max):
           Verzeichnisadresse:
                DC=ford
                DC=com
Ausgeschlossen
      [1]Unterstrukturen (0..Max):
           IP-Adresse=0.0.0.0
           Maske=0.0.0.0
      [2]Unterstrukturen (0..Max):
           IP-Adresse=0000:0000:0000:0000:0000:0000:0000:0000
           Mask=0000:0000:0000:0000:0000:0000:0000:0000

Any idea what could be wrong here?

Thanks

Andreas

Hi Andreas,

Could you send me the complete chain off-list so I can have a look at it?

Kind regards,

Martijn Brinkers