Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you generate the root CA sure. However name constraints aren't well supported.

A far better option would be to allow me, the user, to do this in the user agent. I can import my mitm cert and today I can trust it for "abc123.com" and point that to something I want to access in that manner for some reason, but tomorrow simply toggle that trust off.

If I find that I want to use a specific website and want to do something with the traffic, then I could point that DNS to my middle-box and turn that on in my browser. With name constraints I'd have to regenerate the root certificate with the new domain, and then re-import it.

the entire concept of the name constraints puts the power into the CA issuing person rather than the user.





Where are you finding that name constraints aren't supported? I've only come across that on embedded/IoT devices. They work fine for me across Firefox and Chrome on Linux, on Android, and they are supposed to work fine on Apple devices too.

> If I find that I want to use a specific website and want to do something with the traffic...

I agree but that's a different problem. If you just need a certificate for your router and some internal services (the original discussion), you can do that using an internal root CA and you have nothing to worry about as long as you using name constraints.

On IoT devices without nameConstraints support I just use an alternative CA certificate without name constraints (same key, different extensions).

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: