[oarsinsync]

> 1. Create your own root Certificate Authority.

2. Ensure that the security around your new root CA is watertight, so that if your environment ever gets compromised, someone can't generate a new *.google.com or *.yourbank.com certificate signed by your CA and then MITM your connection.

[merb]

3. use cross signing with name constraints to not have this problem

https://tools.ietf.org/html/rfc5280#section-4.2.1.10

[Sebb767]

4. Find out that name constraints are either not supported or ignore by basically all major libraries.

[fomine3]

Issuing CA cert with Name Constraints is good, but end user should recognize the certificate is constrained to their domains or not.

[midasuni]

The end user should be able to choose the domains the root is valid for - regardless of x509 name constraints.