Another obnoxious behavior is clients enforcing lifetime requirements for domains they have no business imposing their opinion about: .internal and .home.arpa. These are specifically carved out for private use. If I want to roll my own CA with a 2.5.29.30 name constraint extension for one of these domains and hand out a 10 year wildcard certificate, I should be able to without interference from my web browser.Additionally, Google and the PSL have inadvertently broken .home.arpa on Chrome by misclassifying it as a public suffix, while leaving .internal alone. A wildcard cert for *.home.arpa will not work on Chrome, but *.internal will, despite these two domains being essentially equivalent in purpose.
jeroenhd|6 months ago
You should be. From what I can remember, both Firefox and Chrome add exceptions to user installed certificates that disable requirements such as certificate transparency logs and even things like HPKP back when that was a thing.
It's easy to make a mistake and install certificates in the system chain instead (especially on Windows), but if you pick the right certificate store I don't think you should be having any trouble. That said, it's been a while since I last dealt with Chrome, maybe things have gotten worse.
jmwilson|6 months ago