Comment 4 for bug 1895714

For services that are not meant to be accessible by generic clients but that are instead bound to a specific client, then I think the best practice is to avoid the use of a public CA altogether, and rely on a private CA pinned in the client. This removes the (possibly-not-)trusted third party from the game and this is what many smartphone apps are doing, as they're the only consumer clients. The downside is of course the burden of properly maintaining a CA.