[FiloSottile]

Hi! Author here.

I was backdating, but I realized a correct notBefore helps identifying when and why you made the certificate. I removed the backdating at the same time as I added the host name in the OU. Nobody has complained so far, so probably not a real problem on dev environments.

I would kind of hope that for client auth you’d have support for a custom root instead of the system pool, hence not needing mkcert (in its current form). But if someone actually finds themselves needing that I’d accept a PR.

Key Usage has been screwed up so much than nearly no one checks them, but in any case I don’t feel like this is the place to fight the RSA key exchange.