Comment by filleokus
3 years ago
The dream would truly be an internal CA backed by a publicly trusted subordinate cert (limited to the domain you control). But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.
3 years ago
The dream would truly be an internal CA backed by a publicly trusted subordinate cert (limited to the domain you control). But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.
> But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.
For those curious about this extension, see RFC 5280 § 4.2.1.10:
* https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10