cert-gen
servercert
cert-gen | servercert | |
---|---|---|
1 | 7 | |
91 | 134 | |
- | 3.0% | |
0.0 | 5.4 | |
almost 2 years ago | 5 days ago | |
Shell | CSS | |
MIT License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cert-gen
-
A safer default for navigation: HTTPS
> I wish there was a solution for those of us who develop web interfaces for embedded products designed to live on LAN
There almost is! Instead of self signed certificates, use a certificate authority, and install that on the LAN's machines. https://github.com/devilbox/cert-gen
You can use macOS Server or Active Directory to push out the Certificate as trusted.
It's not perfect, but it's close enough for a LAN.
servercert
-
We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI
The current CAB Forum Baseline Requirements call for "Multi-Perspective Issuance Corroboration" [1] i.e. make sure the DNS or HTTP challenge looks the same from several different data centres in different countries.
[1] https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
-
DigiCert Revocation Incident (Cname Domain Validation)
There's no prohibition against issuing certificates for names on the Public Suffix List.
BR 3.2.2.6 prohibits issuing a wildcard certificate for an entire public suffix unless the "Applicant proves its rightful control of the entire Domain Namespace" (without specifying how this should be done - arguably, publishing a DNS record would qualify) but also says that CAs should use the "ICANN DOMAINS" section of the PSL only, not the "PRIVATE DOMAINS" section, so domains for dynamic DNS providers and the like wouldn't be included in any case. [https://github.com/cabforum/servercert/blob/main/docs/BR.md#...]
-
All I Know About Certificates – Certificate Authority
That's because some people came along and produced a parallel standard [1] adding loads more rules, clarifications and constraints to convert X509 into something approximately fit for purpose.
[1] https://github.com/cabforum/servercert
-
Does my site need HTTPS?
This is permitted: https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
But it hasn't really caught on; a lot of registrars don't seem to want the complexity of being (or integrating with) a CA, and vice versa.
-
Let's Encrypt: Issue with TLS-ALPN-01 Validation Method
It is unfortunate. It's required: https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
-
MarkMonitor left 60k domains for the taking
No, they don't have to MitM the CA's domain validation request. While they have brief control over the website, they use domain validation method 3.2.2.4.18 (Agreed-Upon Change to Website v2)[1] or 3.2.2.4.19 (Agreed-Upon Change to Website - ACME)[2] to legitimately complete domain validation by making a change to the website.
[1] https://github.com/cabforum/servercert/blob/cda0f92ee70121fd...
- A safer default for navigation: HTTPS
What are some alternatives?
acme-dns - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
devcert - Local HTTPS development made easy
devcert-cli - A CLI wrapper for devcert, to manage development SSL/TLS certificates and domains
docker-swag - Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.