Show HN: Anchor – developer-friendly private CAs for internal TLS

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Server Applications HTTPS Security TLS Vault

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • bettertls

    BetterTLS: A Name Constraints test suite for HTTPS clients.

    • Have you done any research about how well different web clients support name constraints? I know that Chrome only recently started respecting Name Constraint on root CAs [1]. The BetterTLS project tracks a bunch of related concerns, but oddly missed this one [2]. I'm wary of this approach since I don't know if the various software I use will enforce it.

    1. https://alexsci.com/blog/name-non-constraint/

    2. https://github.com/Netflix/bettertls/issues/19

  • luci

    LuCI - OpenWrt Configuration Interface

    • https://github.com/openwrt/luci/blob/master/applications/luc...

    https://developer.hashicorp.com/vault/tutorials/secrets-mana... https://github.com/hashicorp/vault :

    > Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • Vault

    A tool for secrets management, encryption as a service, and privileged access management

    • https://github.com/openwrt/luci/blob/master/applications/luc...

    https://developer.hashicorp.com/vault/tutorials/secrets-mana... https://github.com/hashicorp/vault :

    > Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.

  • mkcert

    A simple zero-config tool to make locally trusted development certificates with any names you'd like.

    • My project, getlocalcert.net[1] may be the one you're thinking of.

    Since I'm also building in this space, I'll give my perspective. Local certificate generation is complicated. If you spend the time, you can figure it out, but it's begging for a simpler solution. You can use tools like mkcert[2] for anything that's local to your machine. However, if you're already using ACME in production, maybe you'd prefer to use ACME locally? I think that's what Anchor offers, a unified approach.

    There's a couple references in the Anchor blog about solving the distribution problem by building better tooling[3]. I'm eager to learn more, that's a tough nut to crack. My theory for getlocalcert is that the distribution problem is too difficult (for me) to solve, so I layer the tool on top of Let's Encrypt certificates instead. The end result for both tools is a trusted TLS certificate issued via ACME automation.

    1. https://news.ycombinator.com/item?id=36674224

    2. https://github.com/FiloSottile/mkcert

    3. https://blog.anchor.dev/the-acme-gap-introducing-anchor-part...

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts