[feature] add Name Constraint?

[zimbatm]

It would be nice if the CA could be generated with a Name Constraint, so that it can only be used on a specific top-level domain like .local.

See https://timothy-quinn.com/name-constraints-in-x509-certificates/

[ralexander-phi]

Just as a heads-up when implementing this. Browsers like Google don't enforce Name Constraint on any manually imported trust roots. For this to work, I believe you need to create an intermediary certificate with the name constraint, and then use that for issuance. Maybe mkcert should destroy the private key of the root cert once the intermediary is created?