Creating a scope-limited TLS certificate authority
This will create a certificate authority that is identical, but constrained.
It will also create a certificate with SAN values limited to the authorized scope, as TLS checks all possible SAN values against the constraints, rather than just the pertinent subset.
Make a copy of the opensslcfg with a new section:
[san_env]
subjectAltName=${ENV::SAN}
Make a new csr:
openssl req -new -key /etc/pki/tls/private/localhost.key -out /tmp/huh.csr -subj /CN=r3u20.devcluster.net
Sign it with designated DNS as SAN:
SAN=DNS:r3u20.devcluster.net openssl ca -config /tmp/openssltmp.cfg -in /tmp/huh.csr -out /etc/pki/tls/certs/fqdn.cert -batch -notext -startdate 19700101010101Z -enddate 21000101010101Z -extensions san_env
Add some 'ServerName' directive to the existing virtualhost, do not match it to the name for everyone, but it need not match specifically what is used:
<VirtualHost _default_:443>
ServerName unknownserver
Underneath the default, define specific virtualhost to indicate correct key material:
<VirtualHost *:443>
ServerName r3u20.devcluster.net
SSLCertificateFile /etc/pki/tls/certs/fqdn.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLEngine on
</VirtualHost>