Setting up a trusted, self-signed SSL/TLS certificate authority in Linux

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
hardware-buttons linkedin-bot template-engine-js

InfluxDB high-performance time series database
Collect, organize, and act on massive volumes of high-resolution data to power real-time intelligent systems.
influxdata.com
featured
CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured

  1. mkcert

    A simple zero-config tool to make locally trusted development certificates with any names you'd like.

    Interesting, just checked out if mkcert (the popular way of doing this) supports it and found two issues:

    https://github.com/FiloSottile/mkcert/issues/131

    https://github.com/FiloSottile/mkcert/pull/113

    Hopefully Filippo revisits this now that it's broadly supported.

  2. InfluxDB

    InfluxDB high-performance time series database. Collect, organize, and act on massive volumes of high-resolution data to power real-time intelligent systems.

    InfluxDB logo

  3. cli

    🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc. (by smallstep)

    I previously used openssl-based scripts to generate certificates to use for local development or applications on a private network. I have since moved to using the step CLI [1].

    OpenSSL is powerful, but it's hard to figure out how to use correctly. Each command seems cryptic no matter how many times I use it.

    The step CLI is a lot simpler, even though it has a few quirks: generating PKCS1 formatted private keys instead of the newer PKCS7 format, making every leaf certificate eligible to be either a server certificate or a client certificate, and absurdly low default certificate expirations.

    1: https://github.com/smallstep/cli

  4. Caddy

    Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

    https://github.com/caddyserver/caddy/issues/5759 :

    > When generating a CA cert via caddy and putting that in the trust store, those private keys can also forge certificates for any other domain.

    RFC5280 (2008) "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" > Section 4.2.1.10

  5. internal-contstrained-pki

    Safely shareable TLS root CA for .internal networks using Name Constraints

    See this for a simple CA tutorial script including Name Constraints using only OpenSSL:

    https://github.com/nh2/internal-contstrained-pki

  6. easy-rsa

    easy-rsa - Simple shell based CA utility

  7. bettertls

    BetterTLS: A Name Constraints test suite for HTTPS clients.

    It says "Proposed Standard" on the RFC; maybe that's why it's not widely implemented if that's the case?

    https://bettertls.com/ > Name Constraints & Archived results doesn't seem to have recent versions of SSL clients listed?

      nameConstraints=critical,

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Show HN: Anchor – developer-friendly private CAs for internal TLS

    4 projects | news.ycombinator.com | 1 Nov 2023

  • Special-Use Domain 'Home.arpa.'

    1 project | news.ycombinator.com | 4 Jun 2024

  • Recent 'MFA Bombing' Attacks Targeting Apple Users

    2 projects | news.ycombinator.com | 27 Mar 2024

  • You Can't Follow Me

    7 projects | news.ycombinator.com | 11 Jan 2024

  • 10 reasons you should quit your HTTP client

    5 projects | dev.to | 15 Nov 2023
Loading...