Intermediate certificate #3
Description
A root certificate can generate certificate for any domain. If some code knows where to look at, it could reuse the root certificate to generate trusted certificate for a domain that you would not expect.
In this scenario code you don't own is executed on your machine. The code would do things more problematic than generating a trusted certificate to fool you somehow... For this reason this issue won't be a priority.
But in case, this is what could be done:
- Generate an intermediate certificate from the root certificate
- This intermediate certificate would be allowed to generate certificate for a subset of domains
- Remove the root certificate from the filesystem
To keep in mind: This module can be used by X project on 1 machine. In other words the intermediate certificate should be allowed to generate certificate for all projects. In this scenario it means project B wants to reuse intermediate CA from project A, in that case we could regen root CA to regen an intermediate CA allowed to generate certificates for both A and B.