|
|
|
|
|
|
by michaelt
1228 days ago
|
|
|
The feature is called 'RFC 5280 Name Constraints' and nobody will issue you such certificates. This is because some clients don't support the constraints, so if they give you a CA certificate that can sign any subdomain of evil.com you could use it to sign MITM certificates for good.com and, although you wouldn't fool modern web browsers, you might fool smart fridges and ancient android phones. You can, however, use it to constrain your in-house corporate CA if you like. |
|
|