Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is it possible to limit the CA to only cover certain domain, e.g. *.yourown.home.arpa? Or is it the case that if you install a CA of your friend, it grants them the possibility of MitMing most any service (with non-pinned cert), at least when enabled by network topology?

I've been using a local CA for a long time, but I have not found a way to limit it that way, so security-wise it is less than optimal.



> Is it possible to limit the CA to only cover certain domain

Sure, via the Name Constraints extension.

Supposedly client support is spotty, but I have no experience in practice. Anything relatively modern could support it.


Thank you! I'll try that with my next CA, which I think is actually expired but it seems not all apps care about that :).

If "relatively modern" covers browsers and email clients, that's pretty good already.

edit: here's the reference: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.... and here's a practical example: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: