From d5e4964b32a36cd874db1d800c78aec1661e1f18 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Tue, 21 Jan 2020 13:01:54 +0100
Subject: [PATCH] critical in nameConstraints lost after last refactoring

---
 roles/strongswan/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/strongswan/defaults/main.yml b/roles/strongswan/defaults/main.yml
index 2506fe0..3a2a6f1 100644
--- a/roles/strongswan/defaults/main.yml
+++ b/roles/strongswan/defaults/main.yml
@@ -17,7 +17,7 @@ subjectAltName: >-
   {%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%}
 subjectAltName_USER: "email:{{ item }}@{{ openssl_constraint_random_id }}"
 nameConstraints: >-
-  permitted;{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{- '/255.255.255.255' if subjectAltName_type == 'IP' else '' -}}
+  critical,permitted;{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{- '/255.255.255.255' if subjectAltName_type == 'IP' else '' -}}
   {%- if subjectAltName_type == 'IP' -%}
   ,permitted;DNS:{{ openssl_constraint_random_id }}
   {%- else -%}