Custom SSL Certificate Authority?

Question

Is there a custom SSL certificate authority I can add to my browser?

We use lots of internal urls like

http://www.somproject.somebranch/ for working on individual branches

It would be cool if there was some service I could add to my browser/OS which would let me use a single cert (or easily generate certs) for non-real domains. Does this exist, or is this just a #firstworldproblem?

score 6 · Accepted Answer · edited Mar 17 '17 at 13:14

6

The point of a custom CA is that you have to create it yourself (by being the holder of the private key for the CA certificate, in particular). Importing just any available CA certificate into your browser would mean that anyone with its private key could issue certificates recognised by your browser (usually for any site, unless there is a specific policy).

There are a few tools to manage a CA:

OpenSSL's CA.pl: it's a script that comes with OpenSSL. It's quite basic but highly configurable (via openssl.cnf).
TinyCA is a front-end to OpenSSL that helps you manage your certificates with a GUI. It's a bit more manageable than CA.pl.
OSX comes with its own interface in Keychain.app.
There are a number of other tools listed in this Security.SE question: EJBCA, OpenCA and XCA.

Most of the hard work is the administrative part (not so much sysadmin, but paperwork) in general. If it's just for you, EJBCA or OpenCA might be overkill.

edited Mar 17 '17 at 13:14

Community

1
1

answered Apr 13 '12 at 16:09

Bruno

110,518
24
258
357

Looks like there isn't quite the service I am looking for... I'm really after a 3rd part site which is a CA for non-real domains. I guess I could create one using these tools. – mcintyre321 Apr 26 '12 at 08:54
Do you mean you're after an existing service that has deployed these tools? – Bruno Apr 26 '12 at 16:40
Ideally - I want to be able to use ssl on custom internal domains like http://www.myapp.branchXXX/ - if I could add a browser setting that would trust http://internalcertificates4u.com that automatically said non-real sites were secure, and had a single certificate that I could install on all my dev boxes, it would make life easier. – mcintyre321 Apr 26 '12 at 20:52
I'm still not clear whether you want a service to do that for you or if you're willing to install/use the tools above yourself. TinyCA and CA.pl will definitely be able to issue certificates for fictitious host names that you only use internally (I think the others too). – Bruno Apr 26 '12 at 20:55
If there is no service, then I guess you have told me how to make one! – mcintyre321 Apr 26 '12 at 22:54
I doubt there is such a service, and I would recommend against using it anyway in general. Suppose anyone can self-issue a certificate from that CA without any justification and that some developers import it into their browser for testing, forget to remove it later and use the same browser to check their bank account (or similar). The CA would be trusted, but anyone could have issued a valid cert for any site, including legitimate sites used by one of the testers. By having your own, you limit the risk a little (at least users have to trust their co-workers with the CA private key). – Bruno Apr 26 '12 at 23:01
I would hope that it wouldn't validate any real-life top-level domains – mcintyre321 Apr 27 '12 at 10:41

Custom SSL Certificate Authority?

1 Answers1

Linked