

Show HN: A tool for creating custom TLS CA bundles - Lukasa
https://mkcert.org/

======
0x0
OK, but you could also just run "dpkg-reconfigure ca-certificates" or use
Keychain Access to mark undesirable authorities "Do Not Trust".

------
ris
"If you still don't trust us, we encourage you to download the source, build
it yourself and run the service on your own hardware."

Or you could just download debian's ca-certificates package and cat together
all the .crt files you choose into a .pem. Much quicker & simpler.

------
timmclean
Trust exactly who you want to trust... as you download certificates from a
random person's server.

But seriously, great idea, but wouldn't this be better as a command-line tool
installable via a package manager? At least then it could be audited.

~~~
Lukasa
Yes indeed, and you can do just that. The API server is open-source[1], and
it's been Dockerized. Anyone who's really paranoid should absolutely run the
server themselves.

[1]: [https://github.com/Lukasa/mkcert](https://github.com/Lukasa/mkcert)

~~~
timmclean
That's great! Thanks for open sourcing it. I really don't think there's much
value though if it's not self-hosted -- it just adds another point of failure
to the CA system.

Edit: what if this were built into Firefox? Could the certificate manager
accommodate some UI improvements and an export feature?

~~~
Lukasa
Re building into Firefox: It absolutely could, and I'd love it if someone went
ahead and did it. That would be a big coup for Mozilla and it simply can't be
that hard to do. Hell, the Chrome guys could do it, mkcert is build on one of
Adam Langley's tools anyway.

As for self-hosting, I think anyone who wants to deploy mkcert in anger should
self-host, and I believe I've made it trivial to do that. There are some steps
I can still take to improve this: I want to pin Mozilla's cert in the client
so that it can't be MITM'd, for example.

------
xvilka
World need wider adoption of DANE instead.

