Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Anyone running their own CA for self-signed certs?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Anyone running their own CA for self-signed certs?

Want to create a simple CA for myself for all the services I setup for myself that need SSL so I don't have to keep accepting "untrusted" certificates in every application for every site on every device that I connect to them with.

I found a few things on github that might be usable, but wondering if anyone else had suggestions too

caman ?
EasyCert

Comments

  • JustAMacUserJustAMacUser Member
    edited June 2016

    I do this for VPNs and some web sites that are internal in nature. I've found EasyRSA to be pretty straightforward.

    Also, even if one is using a self-signed certificate without a CA, usually one can just add the public certificate to the device and then will prevent the untrusted errors.

  • rm_rm_ IPv6 Advocate, Veteran
    edited June 2016

    I used to use CACert for this purpose. They already run a CA for you, that's recognized as trusted in some limited OSes and applications (used to be in Debian, but not anymore). On other devices can just install their root cert.

    However now with https://assl.loovit.net/ https://www.lowendtalk.com/discussion/comment/1720425/#Comment_1720425
    there is no point anymore neither in CACert, nor in running your own CA. At least for the time being we can just get real valid wildcard certs for free.

    On another front, I recently found a good and simple Let's Encrypt client https://github.com/lukas2511/letsencrypt.sh, which doesn't try to mess with my system or web server configs, doesn't try to install anything anywhere, also runs well under an unprivileged user and entirely contained in its own dir. So I had to change my stance on LE and admit that with all these conditions met, it can be a convenient and usable service.

    And finally, if you have just a handful of domains/hostnames (5 or less) and don't expect them to change often, you could just get a free WoSign multi-domain certificate valid for 3 years.

    Any of these options beats bothering with running your own CA and keeping its certs installed on each and every device that you might use.

    Thanked by 2yomero geekalot
  • WebProjectWebProject Host Rep, Veteran

    rm_ said: hey already run a CA for you, that's recognized as trusted in some limited OSes and applications

    Google chrome don't support their website as shows the following error:
    NET::ERR_CERT_AUTHORITY_INVALID

    more likely should be displayed:
    ERR_CERT_AUTHORITY_IS_FAKE

    Thanked by 1theroyalstudent
  • rm_rm_ IPv6 Advocate, Veteran

    WebProject said: Google chrome don't support their website as shows the following error

    They have a limited inclusion status: https://en.wikipedia.org/wiki/CAcert.org#Inclusion_status

    Just visit their site with HTTP and from there get the root cert if you're interested.

  • rm_ said: Any of these options beats bothering with running your own CA and keeping its certs installed on each and every device that you might use.

    I'll take a closer look at Let's Encrypt now that standalone tools like that exist. I don't like the idea of have to get it reissued every few months

  • ShadeShade Member

    Yes i do. Just wrote a tiny bash script(s). In connection with a openssl.conf it should it be enough for personal use. This helped me a lot: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html - If you want my "scripts" - Let me know, but i promise, there is nothing in that script you can't do by yourself :p

  • eva2000eva2000 Veteran

    texteditor said: I'll take a closer look at Let's Encrypt now that standalone tools like that exist. I don't like the idea of have to get it reissued every few months

    official list of letsencrypt 3rd party clients at https://letsencrypt.org/docs/client-options/ :)

  • tommytommy Member

    long time ago I use cacert for all of my services, but since move to wildcard SSL never look back.

    Don't bother to use letsencrypt, because of their public lists ;)

  • yomeroyomero Member

    tommy said: Don't bother to use letsencrypt, because of their public lists ;)

    What do you mean with this?

  • tommytommy Member

    yomero said: What do you mean with this?

    some times ago I saw website had data all domain that using Letsencrypt (don't remember the link anymore, maybe someone here knows?) in one place, your know what that mean right? some have an interesting subdomain (admin-*, private-*)

    hacker wannabe no longer needs to scan the entire internet to get target

  • rm_rm_ IPv6 Advocate, Veteran
    edited July 2016

    tommy said: some times ago I saw website had data all domain that using Letsencrypt (don't remember the link anymore, maybe someone here knows?) in one place

    That's called certificate transparency and designed so that people can watch which certs they issue and ensure there are no malicious certs issued via exploits or security holes like recently in StartEncrypt.

    your know what that mean right

    No, not really, what? What do I risk from publishing (teh horror!) my website address?

    some have an interesting subdomain (admin-*, private-*)

    If you have a super sekrit domain name as your only protection, then god help you.

  • tommytommy Member
    edited July 2016

    rm_ said: If you have a super sekrit domain name as your only protection, then god help you.

    it's the same as people people say change port SSH to another port wont help you :) we cant have all people agree with that right? But I prefer change my SSH port and my private sub domain not in public list :D

  • cassacassa Member

    I used a PHP web interface for this some time ago. TinyCert seems interesting as well

Sign In or Register to comment.