[GH-ISSUE #302] [feature] add Name Constraint? #191

New issue

Open

opened 2026-02-25 22:32:49 +03:00 by kerem · 2 comments

kerem commented 2026-02-25 22:32:49 +03:00

Owner

Copy link

Originally created by @zimbatm on GitHub (Oct 17, 2020).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/302

It would be nice if the CA could be generated with a Name Constraint, so that it can only be used on a specific top-level domain like .local.

See https://timothy-quinn.com/name-constraints-in-x509-certificates/

Originally created by @zimbatm on GitHub (Oct 17, 2020). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/302 It would be nice if the CA could be generated with a Name Constraint, so that it can only be used on a specific top-level domain like `.local`. See https://timothy-quinn.com/name-constraints-in-x509-certificates/

kerem commented 2026-02-25 22:32:50 +03:00

Author

Owner

Copy link

@ralexander-phi commented on GitHub (Mar 30, 2023):

Just as a heads-up when implementing this. Browsers like Google don't enforce Name Constraint on any manually imported trust roots. For this to work, I believe you need to create an intermediary certificate with the name constraint, and then use that for issuance. Maybe mkcert should destroy the private key of the root cert once the intermediary is created?

<!-- gh-comment-id:1489958995 --> @ralexander-phi commented on GitHub (Mar 30, 2023): Just as a heads-up when implementing this. Browsers like Google [don't enforce Name Constraint on any manually imported trust roots](https://bugs.chromium.org/p/chromium/issues/detail?id=1072083). For this to work, I believe you need to create an intermediary certificate with the name constraint, and then use that for issuance. Maybe `mkcert` should destroy the private key of the root cert once the intermediary is created?

kerem commented 2026-02-25 22:32:50 +03:00

Author

Owner

Copy link

@nh2 commented on GitHub (Oct 18, 2024):

Browsers like Google don't enforce Name Constraint on any manually imported trust roots.

Chrome fixed this, ticket was closed as fixed 2024-07-11.

<!-- gh-comment-id:2420950629 --> @nh2 commented on GitHub (Oct 18, 2024): > Browsers like Google [don't enforce Name Constraint on any manually imported trust roots](https://bugs.chromium.org/p/chromium/issues/detail?id=1072083). Chrome fixed this, ticket was closed as fixed 2024-07-11.

kerem referenced this issue 2026-02-25 22:33:25 +03:00

[PR #197] [CLOSED] mkcert now provides a version command #413

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.9.1

v0.9.0

Labels

Clear labels   

TLS stack issue

  

Windows

  

bug

  

duplicate

  

duplicate

  

enhancement

  

help wanted

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

root store

  

waiting for info

No labels

TLS stack issue

Windows

bug

duplicate

duplicate

enhancement

help wanted

help wanted

pull-request

question

question

root store

waiting for info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mkcert#191

No description provided.