When generating a CA cert via caddy and putting that in the trust store, those private keys can also forge certificates for any other domain.

We're only using this for company.dev and two other domains. Would be neat if we could tell Caddy to create a CA with name constraint extension, reducing the scope of its authority to only domains (and their subdomains) that we need it for.

Just an idea, feel free to close this if it isn't relevant.

Also, I'd suggest enabling the "Discussions" tab on Github. Then you'd get fewer issues for ideas like this 😄

Background:
https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only