Is it possible to limit the CA to only cover certain domain, e.g. *.yourown.home.arpa? Or is it the case that if you install a CA of your friend, it grants them the possibility of MitMing most any service (with non-pinned cert), at least when enabled by network topology?

I've been using a local CA for a long time, but I have not found a way to limit it that way, so security-wise it is less than optimal.

> Is it possible to limit the CA to only cover certain domain

Sure, via the Name Constraints extension.

Supposedly client support is spotty, but I have no experience in practice. Anything relatively modern could support it.

Thank you! I'll try that with my next CA, which I think is actually expired but it seems not all apps care about that :).

If "relatively modern" covers browsers and email clients, that's pretty good already.

edit: here's the reference: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.... and here's a practical example: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-...

And how are you going to distribute these certificates to your houseguests?

I run a plain http server on the LAN that hosts a copy of the public part of the CA cert. Download it from there and add it to your trusted CAs.

Friends don't ask friends to install their custom root CA. If someone asked you to install theirs, would you?

After all, once they've installed your root CA, you'll now be able to trivially intercept all of their encrypted HTTPS communications while they use your network. I wouldn't trust my mother with that power.

I blame lacking implementation of https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10 by TLS clients.

Doesn’t even have to be the ones baked into the cert - I should be able to import a root to authenticate a list of domains that I specify.

Please tell me your friends aren’t stupid enough to install random ca roots

Per GP, this will be VERY difficult to explain to houseguests.

Why?

Specifically, what I mean is, if you have house guests that care enough about your LAN that they actually want to access any of the services you have running on it – it shouldn't be difficult to explain to them why and how to trust your CA.

The main difficulty IME is getting any of your guests to care about your LAN services in the first place.

I'm sorry, but if you ask me to install your private CA on any of my devices... I would politely tell you to stop.

As for house guests, I really like what OnHub did - you could allow anyone to network to control certain IoT devices. When someone was house sitting for me, they could have control thermostat, lights, etc from their phone without any apps or "add household member" shenanigans.

That's what I do, I just hijack home.com to do it and don't care about SSL on my intranet.

> allow anyone to network to control certain IoT devices

Yeah that makes sense :)

My own house is not really IoTified yet. I have a single "smart" plug that I can turn on or off with an app that the night table lamp on one side of the bed is plugged into. But I could see the appeal of having the IoT setup accessible to guests for people that have more IoT stuff in their house.

When you're a guest at a friend's house, for example, you would have no problem installing their root CA in exchange for the privilege of using their network? Wouldn't you find that to be a little bit antisocial or overbearing?

I don’t need to install their root CA unless I specifically want to access any LAN services.

Most people are not interested in that and so don’t need to add any new CA.

Most people borrow the WiFi so they can check their WhatsApp, Instagram, TikTok etc. None of which requires adding any new CA.

> I don’t need to install their root CA unless I specifically want to access any LAN services.

s/unless/even if/

No, I meant what I said.

Well, I guess you could deal with the TLS warnings instead.

But I prefer to install the CA cert so that the TLS connections are seen as valid.