Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Honestly this feels overly complex when you can just create a CA and add the CA to ur devices. Still cool tho.


We looked into this at $WORK, but it can be slightly annoying as you have to create a workflow for each operating system's trust store, but you also have to deal with many browsers independently as well, since many of them don't use the OS' trust store.


At home, with just a few devices, it's doable, but adding a ca on all the devices of a corporate network is a huge pain. On one hand, you have varying levels of control (from none to total) on the devices. On the other hand adding a ca is a bit of a pain, with the ca needed to be added in various ca collection s for different softwares (ex in linux, ca-certificates, java certificates, and to add them system wide for browsers, you need to recompile libnss).


You don't want to be running a CA. Because devices don't implement "name constraints", once you import your CA Root cert into a device, all HTTPS communications on that device can be subverted if someone gets ahold of your Root CA's cert/private key.

I find it incredibly annoying that i can't tell chrome to use THIS CA Root Cert only for *.mydomain.com and not my banking domains, email, etc.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: