Post History

For future readers - based on input from Michael, and some research that was spurred by that improved version, this is the final config I arrived at:
```
# https://gnutls.org/manual/html_node/certtool-Invocation.html#certtool-Invocation

cn = "nosuchdomain.com"
organization = FakeCompanyName

country = US
state = California
locality = "San Francisco"

# In 2020, Apple started refusing certs longer than 1 year: https://support.apple.com/en-us/102028
# Others followed suit. However, as of Mar 2024 this is for real CAs only, not
# user-installed certs
expiration_days = -1

dns_name = "nosuchdomain.com"

nc_permit_dns = my.cool.website.com
nc_permit_dns = alternate.address.org

ca
cert_signing_key
```

In the past (1-2 years ago) I had gotten errors about name constraints in the root CA, so I had to leave it all powerful. This introduced a security hole where after installing my root CA, an attacker who gains access to the root CA key could impersonate any site like google.com. I had to use an intermediate CA instead. After the suggestions here, I tried and found that apparently root CAs *can* have name constraints, and indeed browser do error out when they see a server cert for a disallowed domain. This allowed me to cut out the intermediate CA which simplified things quite a bit.

I elected to remove the expiration. These days, browsers are trying to demand shorter expiration periods, to encourage site admins to automate rotation of certs in case of a leak. This requirement is imposed only for real CAs, not user-made CAs like the one here. Further, for private use like this, there is not much security benefit from expiration dates, because if I discover I've been compromised I can directly notify all clients anyhow. On the other hand, it's convenient not having to reinstall the root CA every year on each machine.