On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> Certificates I get at $work come four layers deep:
>
>
> Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
>
> Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
>
> Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
>
> End-entity cert for my server.
>
>
> And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> to be what I'm calling trusted in root.crt?
I don't know if there is a way to get this to work, but the
fundamental problem seems that you have got the system wrong.
If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
it as a certification authority.
Yours,
Laurenz Albe