8Eki
Can a wildcard certificate act as CA for subdomains? [duplicate]
Inspired by Is LetsEncrypt activity Public?
Say I've got a *.mycompany.com certificate from LetsEncrypt on my primary production server. I want to generate a certificate for my honeypot, which might obviously get stolen.
Can I use *.mycompany.com to sign honey1.mycompany.com? If I provide the full chain of trust, will common browsers accept this?
If not, why not? What would the security risks be of allowing this chaining of certificates?
(If I'm not mistaken it's not allowed due to the CA flag not being set on certificates signed by LE. But I'm curious what the security implications would be.)
