|
|
|
|
|
|
by dns_snek
192 days ago
|
|
|
You can absolutely do that with name constraints extension set on the root CA certificate. You should verify compatibility but it's pretty universally supported on modern browsers and consumer devices last I checked. nameConstraints=critical,permitted;DNS:.iso1631.internal
- "critical" ensures that any clients who don't understand this extension fail the certificate validation outright instead of ignoring it.- "DNS:.iso1631.internal" limits the scope to all subdomains of the given domain, e.g. "www.iso1631.internal" https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.... |
|
|
A far better option would be to allow me, the user, to do this in the user agent. I can import my mitm cert and today I can trust it for "abc123.com" and point that to something I want to access in that manner for some reason, but tomorrow simply toggle that trust off.
If I find that I want to use a specific website and want to do something with the traffic, then I could point that DNS to my middle-box and turn that on in my browser. With name constraints I'd have to regenerate the root certificate with the new domain, and then re-import it.
the entire concept of the name constraints puts the power into the CA issuing person rather than the user.