Comment by codetrotter

Parent commenter is talking about having a sub CA that is restricted to issuing certs for a specific domain.

For example let’s say that I am hosting a website at somewhere.example.com

Today I would be able to get a Let’s Encrypt TLS cert for somewhere.example.com and if I control the DNS for somewhere.example.com I can get a wild card cert for *.somewhere.example.com

But from what parent is saying, with name constraints it would be possible for Let’s Encrypt to give me a cert that would allow me to act as CA for anything under my somewhere.example.com

Meaning that I could for example issue a TLS cert for treehouse.internal.somewhere.example.com using the restricted CA certificate that was given to me.

I think.