Security improvements

[luisfarzati]

Copying down here a few suggestions by the community. I'll try to tackle these when I have enough time for research ('cause I don't have much experience with these) and implementation.

If anybody wants to help with any of these, or discuss more about these suggestions, that would be great.

"Generate root CA with NameConstraints, in order to avoid issuing certs for any domain on the internet." (see original)

"Automatically destroy the root's private key after making any needed certs. That is, the root's private key exists only long enough to issue certificates for this session, then it's destroyed. If the user changes things you don't re-use that root CA, you distrust it and make a new one, for which the private key would likewise only exist during setup and then be destroyed." (see original)

"Shortening the lifetime of the locally installed root cert mitigates potential attack surface resulting out of a loss of sensitive private key material." (no link, gitter message)