So, I've generated a rootCA, and signed a certificate for *.a.com, how can I trust the resulting certificate in Firefox/Chrome, without trusting the CA directly?
Note that adding an exception (once) is not enough in this case, since there are multiple domains.