diff --git a/cmd/init.go b/cmd/init.go
index 740208d..f574c5e 100644
--- a/cmd/init.go
+++ b/cmd/init.go
@@ -85,6 +85,10 @@ func NewInitCommand() cli.Command {
 				Name:  "stdout",
 				Usage: "Print certificate to stdout in addition to saving file",
 			},
+			cli.StringSliceFlag{
+				Name:  "permit-domain",
+				Usage: "Create a CA restricted to subdomains of this domain (can be specified multiple times)",
+			},
 		},
 		Action: initAction,
 	}
@@ -150,7 +154,7 @@ func initAction(c *cli.Context) {
 		}
 	}
 
-	crt, err := pkix.CreateCertificateAuthority(key, c.String("organizational-unit"), expiresTime, c.String("organization"), c.String("country"), c.String("province"), c.String("locality"), c.String("common-name"))
+	crt, err := pkix.CreateCertificateAuthority(key, c.String("organizational-unit"), expiresTime, c.String("organization"), c.String("country"), c.String("province"), c.String("locality"), c.String("common-name"), c.StringSlice("permit-domain"))
 	if err != nil {
 		fmt.Fprintln(os.Stderr, "Create certificate error:", err)
 		os.Exit(1)
diff --git a/cmd/revoke_test.go b/cmd/revoke_test.go
index 98b1aa1..f019ee3 100644
--- a/cmd/revoke_test.go
+++ b/cmd/revoke_test.go
@@ -73,7 +73,7 @@ func setupCA(t *testing.T, dt depot.Depot) {
 	}
 
 	// create certificate authority
-	caCert, err := pkix.CreateCertificateAuthority(key, caName, time.Now().Add(1*time.Minute), "", "", "", "", caName)
+	caCert, err := pkix.CreateCertificateAuthority(key, caName, time.Now().Add(1*time.Minute), "", "", "", "", caName, nil)
 	if err != nil {
 		t.Fatalf("could not create authority cert: %v", err)
 	}
diff --git a/pkix/cert_auth.go b/pkix/cert_auth.go
index e1809ed..7f21b6b 100644
--- a/pkix/cert_auth.go
+++ b/pkix/cert_auth.go
@@ -26,7 +26,7 @@ import (
 
 // CreateCertificateAuthority creates Certificate Authority using existing key.
 // CertificateAuthorityInfo returned is the extra infomation required by Certificate Authority.
-func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time.Time, organization string, country string, province string, locality string, commonName string) (*Certificate, error) {
+func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time.Time, organization string, country string, province string, locality string, commonName string, permitDomains []string) (*Certificate, error) {
 	authTemplate := newAuthTemplate()
 
 	subjectKeyID, err := GenerateSubjectKeyID(key.Public)
@@ -54,6 +54,11 @@ func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time
 		authTemplate.Subject.CommonName = commonName
 	}
 
+	if len(permitDomains) > 0 {
+		authTemplate.PermittedDNSDomainsCritical = true
+		authTemplate.PermittedDNSDomains = permitDomains
+	}
+
 	crtBytes, err := x509.CreateCertificate(rand.Reader, &authTemplate, &authTemplate, key.Public, key.Private)
 	if err != nil {
 		return nil, err
diff --git a/pkix/cert_auth_test.go b/pkix/cert_auth_test.go
index 00424a4..3553cc5 100644
--- a/pkix/cert_auth_test.go
+++ b/pkix/cert_auth_test.go
@@ -28,7 +28,7 @@ func TestCreateCertificateAuthority(t *testing.T) {
 		t.Fatal("Failed creating rsa key:", err)
 	}
 
-	crt, err := CreateCertificateAuthority(key, "OU", time.Now().AddDate(5, 0, 0), "test", "US", "California", "San Francisco", "CA Name")
+	crt, err := CreateCertificateAuthority(key, "OU", time.Now().AddDate(5, 0, 0), "test", "US", "California", "San Francisco", "CA Name", []string{".example.com"})
 	if err != nil {
 		t.Fatal("Failed creating certificate authority:", err)
 	}
@@ -52,4 +52,16 @@ func TestCreateCertificateAuthority(t *testing.T) {
 	if !time.Now().Before(rawCrt.NotAfter) {
 		t.Fatal("Failed to be before NotAfter")
 	}
+
+	if crt.crt.PermittedDNSDomainsCritical != true {
+		t.Fatal("Permitted DNS Domains is not set to critical")
+	}
+
+	if len(crt.crt.PermittedDNSDomains) != 1 {
+		t.Fatal("More than one entry found in list of permitted DNS domains")
+	}
+
+	if crt.crt.PermittedDNSDomains[0] != ".example.com" {
+		t.Fatalf("Wrong permitted DNS domain, want %q, got %q", ".example.com", crt.crt.PermittedDNSDomains[0])
+	}
 }
diff --git a/pkix/crl_test.go b/pkix/crl_test.go
index 2f48b01..608f804 100644
--- a/pkix/crl_test.go
+++ b/pkix/crl_test.go
@@ -49,7 +49,7 @@ func TestCreateCertificateRevocationList(t *testing.T) {
 		t.Fatal("Failed creating rsa key:", err)
 	}
 
-	crt, err := CreateCertificateAuthority(key, "OU", time.Now().AddDate(5, 0, 0), "test", "US", "California", "San Francisco", "CA Name")
+	crt, err := CreateCertificateAuthority(key, "OU", time.Now().AddDate(5, 0, 0), "test", "US", "California", "San Francisco", "CA Name", nil)
 	if err != nil {
 		t.Fatal("Failed creating certificate authority:", err)
 	}