For an intranet server I use a self-signed certificate which I want to trust system-wide. I added the certificate exception to Firefox, but this is not possible in Chrome, console applications, IDEs, ...
This is why I want the certificate to be trusted system-wide. As I understood it, the recommended way is to install it as root CA: https://blogs.technet.microsoft.com/sbs/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista/
As I also understood it, this means that whoever controls the self-signed certificate now controls a root authority which can sign forged certificates for any site on my machine. Is this true and if yes, how can I prevent this? I just want to have a single intranet server self-signed, not potentially all services I use.
What is the recommended way to deal with intranet TLS here?