Our great sponsors
-
acme-dns
Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
minica
minica is a small, simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used.
-
mkcert
A simple zero-config tool to make locally trusted development certificates with any names you'd like.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
One of my inspirations for getlocalcert is a tool to make DNS-01 easier.
acme-dns let's you add a CNAME to another DNS zone, which let's you issue certificates for the former domain name using a convenient API for the latter zone. Seriously read about it, it's awesome.
https://github.com/joohoi/acme-dns/
That tool is open source and self-hostable. getlocalcert also provides this feature, but as a hosted service. Choose the method you prefer.
https://docs.getlocalcert.net/tips/validation-domain/
Once DNS-01 is easy, wildcard certs are easy. Here's the docs for setting up a wildcard cert via getlocalcert:
Somewhat related - I made a bridge server [1] that lets ACME clients use standard RFC2136 to solve DNS-01 challenges for internal names without them needing credentials for the actual DNS backend (Route 53 in my case).
[1] https://github.com/schlarpc/rfc2136_bridge/blob/main/src/rfc...
MiniCA[0] works for this, quite trivial to setup and stamp out certs.
[0] https://github.com/jsha/minica
I've been pretty frustrated with how private CAs are supported. Your private root CA can be maliciously used to MITM every domain on the Internet, even though you intend to use it for only a couple domain names. Most people forget to set Name Constraints when they create these and many helper tools lack support [1][2]. Worse, browser support for Name Constraints has been slow [3] and support isn't well tracked [4]. Public CAs give you certificate transparency and you can subscribe to events to detect mis-issuance. Some hosted private CAs like AWS's offer logs [5], but DIY setups don't.
Even still, there are a lot of folks happily using private CAs, they aren't the target audience for this initial release.
[1] https://github.com/FiloSottile/mkcert/issues/302
[2] https://github.com/cert-manager/cert-manager/issues/3655
[3] https://alexsci.com/blog/name-non-constraint/
[4] https://github.com/Netflix/bettertls/issues/19
[5] https://docs.aws.amazon.com/privateca/latest/userguide/secur...
I've been pretty frustrated with how private CAs are supported. Your private root CA can be maliciously used to MITM every domain on the Internet, even though you intend to use it for only a couple domain names. Most people forget to set Name Constraints when they create these and many helper tools lack support [1][2]. Worse, browser support for Name Constraints has been slow [3] and support isn't well tracked [4]. Public CAs give you certificate transparency and you can subscribe to events to detect mis-issuance. Some hosted private CAs like AWS's offer logs [5], but DIY setups don't.
Even still, there are a lot of folks happily using private CAs, they aren't the target audience for this initial release.
[1] https://github.com/FiloSottile/mkcert/issues/302
[2] https://github.com/cert-manager/cert-manager/issues/3655
[3] https://alexsci.com/blog/name-non-constraint/
[4] https://github.com/Netflix/bettertls/issues/19
[5] https://docs.aws.amazon.com/privateca/latest/userguide/secur...
I've been pretty frustrated with how private CAs are supported. Your private root CA can be maliciously used to MITM every domain on the Internet, even though you intend to use it for only a couple domain names. Most people forget to set Name Constraints when they create these and many helper tools lack support [1][2]. Worse, browser support for Name Constraints has been slow [3] and support isn't well tracked [4]. Public CAs give you certificate transparency and you can subscribe to events to detect mis-issuance. Some hosted private CAs like AWS's offer logs [5], but DIY setups don't.
Even still, there are a lot of folks happily using private CAs, they aren't the target audience for this initial release.
[1] https://github.com/FiloSottile/mkcert/issues/302
[2] https://github.com/cert-manager/cert-manager/issues/3655
[3] https://alexsci.com/blog/name-non-constraint/
[4] https://github.com/Netflix/bettertls/issues/19
[5] https://docs.aws.amazon.com/privateca/latest/userguide/secur...
Solved.
Solved for both Windows and Linux (Debian, Arch, Fedora). I might have unlikely solved this of OSX as well, but I am not buying Apply hardware just to test it.
What my solution does is check for certificates created by the project during a build step. If the certificates don't exist it creates them, installs them in the OS, and also install them in the browser. Installation in the browsers is required in Linux and only for FireFox in Windows. These are cert chains containing a self-signed root, intermediary CA, and a local domain cert.
I have these certs configured to work with my own domains so that I can connect to a subdomain addressed to a loopback IP and the cert recognizes that domain, but the domain "localhost" works as well. Sometimes its nice to access a real domain to avoid any restrictions imposed upon accessing address "localhost". You just have to change the domains at the bottom of your OpenSSL option files.
Here is how I solved it with vanilla TypeScript in Node.js (also requires locally installed OpenSSL:
* OpenSSL option file 1 - https://github.com/prettydiff/share-file-systems/blob/master...
* OpenSSL option file 2 - https://github.com/prettydiff/share-file-systems/blob/master...
* Certificate library - https://github.com/prettydiff/share-file-systems/blob/master...
* Certificate interface from build tool - https://github.com/prettydiff/share-file-systems/blob/master...
* Certificate installation - https://github.com/prettydiff/share-file-systems/blob/master...
If you have any questions just open a Github issue on the project.
> Works great on air gapped networks
I've usually seen DANE paired with DNSSEC, and on the internet it feels required. DANE on an air gapped network is new to me, do you just skip the DNSSEC part? I'd be fearful of joining a network that puts bogus DANE TLSA records for google.com, for example.
Browser support for DANE is at 0%, unfortunately.
https://caniuse.com/?search=dane
> You need a PKI which exposes a SCEP endpoint (ejbca or dogtag supports this).
Uhh...
> [...] ejbca [...]
Now you have two problems.
What I mean is, if you’ve been already running EJBCA for whatever reason then this is perhaps reasonable, but if your current setup is at the level of typing `openssl req` into a terminal (whether that’s a good idea or not), this sounds like a lot of additional complexity. (Can’t say anything about dogtag.)
I’ve been waiting forever for somebody to add an ACME backend to the Go SCEP library[1], but it doesn’t look like that happened. In the meantime it makes a fairly competent standalone server at the abovementioned invoke-openssl-by-hand level.
[1] https://github.com/micromdm/scep
This leverages the ACME DNS server which has a REST API:
* https://github.com/joohoi/acme-dns
If your DNS provider has an API, you can hook into that for internal-only web servers; this handy code supports several dozen APIs so you don't have to re-invent the wheel:
* https://github.com/AnalogJ/lexicon
* https://pypi.org/project/dns-lexicon/
* https://dns-lexicon.readthedocs.io/en/latest/user_guide.html
My way of doing private SSL (not necessarily the easiest):
* own CA, to be distributed to all systems via Ansible playbook or Dockerfile directives
* Hashicorp Vault with enabled PKI engine
* Ansible Hashivault module [1]
* Ansible role & playbook to tie it all together
* CI enviroment for automated deployment of SSL certs to target systems
Works flawlessly once set up, including restart/reload of affected services. Might do a writeup on my personal blog at some point.
[1] https://github.com/ansible-collections/community.hashi_vault