New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Anyone running their own CA for self-signed certs?
texteditor
Member
in Help
Want to create a simple CA for myself for all the services I setup for myself that need SSL so I don't have to keep accepting "untrusted" certificates in every application for every site on every device that I connect to them with.
I found a few things on github that might be usable, but wondering if anyone else had suggestions too
Comments
I do this for VPNs and some web sites that are internal in nature. I've found EasyRSA to be pretty straightforward.
Also, even if one is using a self-signed certificate without a CA, usually one can just add the public certificate to the device and then will prevent the untrusted errors.
I used to use CACert for this purpose. They already run a CA for you, that's recognized as trusted in some limited OSes and applications (used to be in Debian, but not anymore). On other devices can just install their root cert.
However now with https://assl.loovit.net/ https://www.lowendtalk.com/discussion/comment/1720425/#Comment_1720425
there is no point anymore neither in CACert, nor in running your own CA. At least for the time being we can just get real valid wildcard certs for free.
On another front, I recently found a good and simple Let's Encrypt client https://github.com/lukas2511/letsencrypt.sh, which doesn't try to mess with my system or web server configs, doesn't try to install anything anywhere, also runs well under an unprivileged user and entirely contained in its own dir. So I had to change my stance on LE and admit that with all these conditions met, it can be a convenient and usable service.
And finally, if you have just a handful of domains/hostnames (5 or less) and don't expect them to change often, you could just get a free WoSign multi-domain certificate valid for 3 years.
Any of these options beats bothering with running your own CA and keeping its certs installed on each and every device that you might use.
Google chrome don't support their website as shows the following error:
NET::ERR_CERT_AUTHORITY_INVALID
more likely should be displayed:
ERR_CERT_AUTHORITY_IS_FAKE
They have a limited inclusion status: https://en.wikipedia.org/wiki/CAcert.org#Inclusion_status
Just visit their site with HTTP and from there get the root cert if you're interested.
I'll take a closer look at Let's Encrypt now that standalone tools like that exist. I don't like the idea of have to get it reissued every few months
Yes i do. Just wrote a tiny bash script(s). In connection with a openssl.conf it should it be enough for personal use. This helped me a lot: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html - If you want my "scripts" - Let me know, but i promise, there is nothing in that script you can't do by yourself
official list of letsencrypt 3rd party clients at https://letsencrypt.org/docs/client-options/
long time ago I use cacert for all of my services, but since move to wildcard SSL never look back.
Don't bother to use letsencrypt, because of their public lists
What do you mean with this?
some times ago I saw website had data all domain that using Letsencrypt (don't remember the link anymore, maybe someone here knows?) in one place, your know what that mean right? some have an interesting subdomain (admin-*, private-*)
hacker wannabe no longer needs to scan the entire internet to get target
That's called certificate transparency and designed so that people can watch which certs they issue and ensure there are no malicious certs issued via exploits or security holes like recently in StartEncrypt.
No, not really, what? What do I risk from publishing (teh horror!) my website address?
If you have a super sekrit domain name as your only protection, then god help you.
it's the same as people people say change port SSH to another port wont help you we cant have all people agree with that right? But I prefer change my SSH port and my private sub domain not in public list
I used a PHP web interface for this some time ago. TinyCert seems interesting as well