Comment by jauer
3 years ago
I have a CA for home services and was worried about this, so I use name constraints to limit the domains that it is allowed to sign certs for.
This blog (not mine) goes into how to do it: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-...
That's a neat idea! I looked into name constraints many years ago, and at the time, no common browser or TLS library supported it; glad to see that that has changed.
With ubiquitous support, I hope that one day we'll be able to routinely get "subdomain CA certificates" issued by something like Letsencrypt, just like it's already possible to get wildcard certificates.
Since when have TLS certs not been pinned to specific domains?
Parent commenter is talking about having a sub CA that is restricted to issuing certs for a specific domain.
For example let’s say that I am hosting a website at somewhere.example.com
Today I would be able to get a Let’s Encrypt TLS cert for somewhere.example.com and if I control the DNS for somewhere.example.com I can get a wild card cert for *.somewhere.example.com
But from what parent is saying, with name constraints it would be possible for Let’s Encrypt to give me a cert that would allow me to act as CA for anything under my somewhere.example.com
Meaning that I could for example issue a TLS cert for treehouse.internal.somewhere.example.com using the restricted CA certificate that was given to me.
I think.
1 reply →