In https://go.dev/cl/709854 for CVE-2025-58187 we enabled strict validation of domain names in SANs and constraints. This broke a number of users as we previously allowed creation of certificates that contained these malformed domain names (see #75828 for further details), even if they would've failed verification when we got to constraint checking (if a chain contained any constraints).

We should re-enable this strict validation, but we should flag it with a GODEBUG, and we should additionally enforce it in CreateCertificate (et al).