Comment by dns_snek

Comment by dns_snek 3 days ago

0 replies

View on Hacker News

You don't even need to remember any OpenSSL commands. I manage all of my home certificates using XCA GUI.

When creating your CA certificate you can hop into the Advanced tab and add the following line to constrain it to specific domains. This eliminates the risk of your likely-poorly-secured CA being abused to MITM all of your communications:

        nameConstraints=critical,permitted;DNS:.home.internal
This will only allow CA to sign certificates for *.home.internal. I think browser support for nameConstraints is pretty good these days but some clients might not be compatible and you can always install a CA certificate without this extension on devices that don't support it.