© 2021. All rights reserved.

Private CA

March 2, 2015

If you are like me, then you like to build your own web applications that solve your own niche problems. An issue that always comes up is where to host these small applications that only you will ever use. A decent solution is to use an old machine you have lying around. This will be cheaper then buying hosting as you will only ever have to pay for electricity to run the machine and for Internet.

However, the trade off with self-hosting is administration. If you are lazy, like me, then you hate setting up proper ssl for your applications. Its usually takes about an hour to get setup if you haven't done it before and if you want most clients/browsers you use to recognize the certs, you have to pay for it. The alternative is self-signed certificates and install the certificates to your hosts. But if you have more than one cert or you have to change the hostname of a single application you have to re-import the cert.

I was looking around for solutions to this problem when I found this article about private certificate authorities. It basically goes over setting up a root certificate that you can use to sign any domain certificate you like. The nice thing about this approach is that after you create your ca, you only have to import it once per client/browser. Then, any domain certificate you sign will be trusted automatically. Now thats neat. Also, That makes sense because that is how the whole network of trust security approach is suppose to work.

Still though, that is too much for me to remember. So I setup this project on github called private-ca. The project includes two shell scripts. The ca.sh script will automatically generate a private ca that you can use to sign all your domain certs. The domain.sh will let you generate certs for any of your domain. Super simple, your don't need to remember any of the verbose openssl commands.

Now you can post your ca certificate as a github gist and download/install it on any client and they will automatically trust any of your domain certificates.

NOTE: this goes without saying, but you shouldn't commit your private keys to a public github repo.

Thanks.