Comment by dns_snek

Where are you finding that name constraints aren't supported? I've only come across that on embedded/IoT devices. They work fine for me across Firefox and Chrome on Linux, on Android, and they are supposed to work fine on Apple devices too.

> If I find that I want to use a specific website and want to do something with the traffic...

I agree but that's a different problem. If you just need a certificate for your router and some internal services (the original discussion), you can do that using an internal root CA and you have nothing to worry about as long as you using name constraints.

On IoT devices without nameConstraints support I just use an alternative CA certificate without name constraints (same key, different extensions).