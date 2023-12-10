Some software will accept name constraints on root CA certificates, so you create your root certificate with them. Some software will only accept name constraints on intermediate CA certificates, so then you create an intermediate certificate with the same constraints as your root certificate; it should also have the same validity period as your root certificate (or as long a validity period as you expect to need your CA for). At this point, you throw away the CA root certificate's private key, so no one can make any more intermediate certificates. This insures an attacker can't create a new intermediate certificate without name constraints and then issue certificates from it that will be accepted by older Chrome versions and other things that ignore root CA name constraints.