krtschmr
commented
3 years ago One way of doing it would be in this tutorial: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-name-constraints.html
Open krtschmr opened 3 years ago
krtschmr
commented
3 years ago One way of doing it would be in this tutorial: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-name-constraints.html
krtschmr
commented
3 years ago i see this was done in https://github.com/FiloSottile/mkcert/pull/309/files which looks fantastic to me. shall we merge it?
we use this for our test-environments (QA testing) and distribute the certificate across the engineering team. they have to import the rootCA in order to be able to have ssl working on our test environments. However, having a rootCA that's valid for the whole internet allows for MITM attacks within our company network (or any other an attacker has control which we would use).
In order to mitigate this, i want to limit down the rootCA to one domain only (*.our-test-company.co). Does
mkcert -installprovide any options on this or shall i generate my own rootCA, limited on domain, which i then place into the rootCA path?