So, I've generated a rootCA, and signed a certificate for *.a.com, how can I trust the resulting certificate in Firefox/Chrome, without trusting the CA directly?
Note that adding an exception (once) is not enough in this case, since there are multiple domains.
There are two possible approaches:
Explicitly add the certificate to the browser certificate manager. Since Chrome and Firefox use NSS as their SSL library, this could be done using the following command (for Chrome):
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n SomeCertificateName -i /path/to/certificate
nameConstraint extension, so that the subCA can only issue certificates with a.com suffix. Now trust this subCA only. This article explains this approach.Because the certificate is not issued by a trusted CA you will get the error for every domain the wildcard certificate applies to. Firefox stores certificate exceptions with the domain as the key, not the certificate so it will ask you to make an exception for every domain (even with a wildcard certificate).
If you don't want to trust the CA directly you can ask the CA owner to create an intermediate CA certificate for you, which you can use to issue certificates. You can then add the intermediate CA in your browser. (or you could just create a new CA)
