[tempay]

> Your clients will only trust the certs for your CA, and those CAs have constraints in place so that we could never issue a certificate outside of your set of configured DNS names.

Does this work in practice? I was under the impression that the extensions for restricting which domains a CA can use weren’t widely supported.

[benburkert]

It does work, and we've found it to be about as well supported as SAN names, which is pretty extensive these days. It's just not commonly used by public CAs because the real value of these public CAs is that they can issue for any valid domain name, not a predefined set.