Comment by aaomidi

3 years ago

If you're making your own root cert, you should use name constraints and block the issuance to certain DNS names.

https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1....

https://wiki.mozilla.org/CA:NameConstraints

Although... I have no idea if browsers/applications/openssl/etc actually verify this - but they should.

(Disclaimer I work at LE)

1 comment

aaomidi

Reply
Macha  3 years ago

> (I know there are cert extensions that allow restricting certs to a subdomain, but they're not universally supported and still scoped as wide as a wildcard cert).

I even mentioned that in my post ;)