mirror of
https://github.com/FiloSottile/mkcert.git
synced 2026-04-25 05:26:03 +03:00
[GH-ISSUE #377] possibility to limit down the rootCA on a specific domain #248
Labels
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/mkcert#248
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @krtschmr on GitHub (Jun 24, 2021).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/377
we use this for our test-environments (QA testing) and distribute the certificate across the engineering team. they have to import the rootCA in order to be able to have ssl working on our test environments.
However, having a rootCA that's valid for the whole internet allows for MITM attacks within our company network (or any other an attacker has control which we would use).
In order to mitigate this, i want to limit down the rootCA to one domain only (*.our-test-company.co). Does
mkcert -installprovide any options on this or shall i generate my own rootCA, limited on domain, which i then place into the rootCA path?@krtschmr commented on GitHub (Jun 24, 2021):
One way of doing it would be in this tutorial: https://systemoverlord.com/2020/06/14/private-ca-with-x-509-name-constraints.html
@krtschmr commented on GitHub (Jun 24, 2021):
i see this was done in https://github.com/FiloSottile/mkcert/pull/309/files which looks fantastic to me.
shall we merge it?
@nh2 commented on GitHub (Oct 18, 2024):
Duplicate of #302.
@directionless commented on GitHub (Apr 12, 2025):
Any change at fix for this?