(Full disclosure, 20+ year veteran and CTO of big-CA-you-probably-know, but I really like how your product looks - just need a bit more time to explore!)
People do weird things with private CAs. Be it for testing or corporate shenanigans, they do want to issue for domains they don't control, data they can't verify, internal identifiers etc. - all in contrast to public/webPKI. This is fine, there's no real downside to letting them do it as it's a private CA after all.
The other thing wasn't cross-signing (not gazing into that abyss!) I just meant issuing a CA from the private root with CA=true so that it can itself issue certificates. Commonly used on MITM proxies/TLS inspection devices - sadly more common than you think, but again no risk to anyone outside of that enterprise. I believe even in some business areas, it's basically required to TLS MITM your users (finance).
Happy to chat more off here if you'd like - email on profile for personal or nick (at) sectigo dot com.
People do weird things with private CAs. Be it for testing or corporate shenanigans, they do want to issue for domains they don't control, data they can't verify, internal identifiers etc. - all in contrast to public/webPKI. This is fine, there's no real downside to letting them do it as it's a private CA after all.
The other thing wasn't cross-signing (not gazing into that abyss!) I just meant issuing a CA from the private root with CA=true so that it can itself issue certificates. Commonly used on MITM proxies/TLS inspection devices - sadly more common than you think, but again no risk to anyone outside of that enterprise. I believe even in some business areas, it's basically required to TLS MITM your users (finance).
Happy to chat more off here if you'd like - email on profile for personal or nick (at) sectigo dot com.