A related issue is that most consumer devices (both iPhone and current Android) make it impossible or extremely difficult to trust your own root CA for signing such certs.

▲

ingenium 7 hours ago | parent | next [-]

Android is pretty easy, you just add it to the keystore and that's it. I've had my own CA long before Let's Encrypt, but now mostly only use it for non-public devices that can't easily use Let's Encrypt (printers, switches, etc).

▲

crapple8430 6 hours ago | parent [-]

You can add it to your user CA store, but no app will trust it since it's treated differently from the system CA store, which you can't modify without root or building your own ROM. In effect it is out of reach for most normal users, as well as people using security focused ROMs like Graphene, when ironically it can improve security in transit in many cases.

	▲	ingenium 4 hours ago \| parent [-]
		I mean it works fine for me on Chrome

▲

iso1631 an hour ago | parent | prev [-]

I don't want to trust my own root CA as I don't trust myself to keep it secure.

I want to important it only for a specific set of domains. "Allow this rootca to authenticate mydomain.com, addmanager.com, debuggingsite.com", which means even if compromised it won't be intercepting mybank.com