mkcert icon indicating copy to clipboard operation
mkcert copied to clipboard
verified publisher icon FiloSottile

possibility to limit down the rootCA on a specific domain

Open krtschmr opened this issue 4 years ago • 4 comments

we use this for our test-environments (QA testing) and distribute the certificate across the engineering team. they have to import the rootCA in order to be able to have ssl working on our test environments. However, having a rootCA that's valid for the whole internet allows for MITM attacks within our company network (or any other an attacker has control which we would use).

In order to mitigate this, i want to limit down the rootCA to one domain only (*.our-test-company.co). Does mkcert -install provide any options on this or shall i generate my own rootCA, limited on domain, which i then place into the rootCA path?

krtschmr avatar Jun 24 '21 05:06 krtschmr

One way of doing it would be in this tutorial: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-name-constraints.html

krtschmr avatar Jun 24 '21 06:06 krtschmr

i see this was done in https://github.com/FiloSottile/mkcert/pull/309/files which looks fantastic to me. shall we merge it?

krtschmr avatar Jun 24 '21 07:06 krtschmr