We’ve released cross_sign_name_constraint_tool v0.0.3 and tlsrestrict_nss_tool v0.0.3. Here’s what’s new:

Both cross_sign_name_constraint_tool and tlsrestrict_nss_tool : Properly handle input CA’s that don’t have a CommonName. Code quality improvements.

and : tlsrestrict_nss_tool only: Compatibility fixes for Windows: Stop using cp to enable CKBI visibility, since no such command exists on Windows. Pass cert nicknames in NSS certutil batch files instead of as command-line args, because Windows doesn’t handle Unicode command-line args correctly. Error when CKBI appears to be empty; this is usually a symptom of missing libraries. Communicate with certutil via PEM instead of DER; this should reduce the risk of concatenated certs not having a clearly defined boundary. Fix compatibility with Go 1.11 and higher. Fix cert deletion on Fedora 28 and higher (and probably various other platforms too). Partial support for bundling both 32-bit and 64-bit certutil on Windows. Partial support for continuously syncing an NSS DB on Windows whenever CKBI is updated (not yet ready for use; will be included in a future ncdns release). Code quality improvements.

only:

As usual, you can download it at the Beta Downloads page.

This work was funded by NLnet Foundation’s Internet Hardening Fund.