adapted from this ServerFault post and this blogpost.
making your own name-constrained CA ΒΆ
make a name-constraint.ini file
[req] distinguished_name = req_distinguished_name keyUsage = critical, keyCertSign, cRLSign [domain_ca] basicConstraints = critical, CA:TRUE nameConstraints = critical, permitted;DNS:.example.com subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always [req_distinguished_name]
make your ca with the name constraints
openssl req -new -x509 -days 3650 -newkey rsa:4096 \ -extensions domain_ca -keyout my-ca.key -out my-ca.pem \ -subj '/C=US/O=Example/OU=CA' -config name-constraint.ini
you can use
ed25519 instead of rsa:4096 if you want a nice and
smol cert, but that will be less compatible with stuff
now you can start signing certs with it