

My weekend project - Create a self-signed SSL certificate instantly and for free - dimastopel
http://www.cert-depot.com/

======
swalberg
This is nice. I could see myself using it even though I normally do this on
the command line, as this would be faster.

Comments:

* You're often too literal, especially given your audience is going to be largely people that find it too complex to do it manually themselves. People don't think of "common names", they think "url" or "hostname".

* Where's my back button?

* Again on the literal front, you've copied the OpenSSL descriptions of OU and stuff and expect the user to know what it is. Fill in sample data or placeholder so that it helps the user figure out what they want, should they want to customize it. Consider removing fields if no one cares.

* Do you even need the second screen? You could just put "domain name" and "secret key passphrase" on the front page and go straight to the download after that

* If you want to make it more helpful, on the download page have something like "What next?" and have some pointers to installation/configuration instructions.

~~~
dimastopel
Thanks for the constructive feedback! Will add to my todos.

------
zenazn
Pretty cool, but there are a couple injection vulnerabilities when you make
the cert.

~~~
dimastopel
Yes, I haven't enforced proper security yet. Proper throttling handling should
be added too. Will add. Thanks!

------
atldev
Nice work. This is easier to share with someone than pointing them to openssl.
Also, misspelled oxygen in "feedback is my oxigen".

~~~
dimastopel
Fixed, thanks.

------
blibble
as I stated the last time a site like this appeared on the front page: the
third party running the site has your private key, so they can decrypt
everything

are two openssl commands really that hard?

(yes it's a self signed cert, but it's still a bad idea)

------
dimastopel
You comments / suggestions / bug reports are very welcome. Thanks.

------
anuaitt
you could also integrate the paid verified ssl's into this. I remember
generating it from godaddy was a pain.. by the way nice work.

~~~
dimastopel
Thanks. I'll have to integrate with trusted CAs for this. Will check this out.

~~~
e12e
Wait... you're not using the browser's SSL engine, as far as I can tell? So
you have copy of the secret key? Please, _do not_ integrate directly, the way
your server is set up now.

That said, it's a nice GUI(WUI?) for generating the needed openssl.conf-
parameters -- so I'm sure you could offer to download that or something, along
with copy-paste tools for the need openssl-stuff (openssl -config genrsa...
etc).

Also, while you need to do your own req, I find <http://CAcert.org> actually
is great for my use of private/personal/etc certs.

I actually use a script along the lines of:

    
    
      #!/usr/bin/env bash
      # Helper script for generating ssl keys/reqs
    
      #Set the variables used for the script
      #Expands filenames and paths
      function expand_vars
      {
        stamp=$(date +%d%m%Y)
    
        prefix=.
    
        conf=$prefix/conf/$host.conf
        key=$prefix/private/$host-$stamp.key
        csr=$prefix/csr/$host-$stamp.csr
      }
    
      #Print usage help
      function usage
      {
      cat<<eof
    
      $0 <hostname>
    
        Generate new key and csr for <hostname>
    
        Files:
        $conf
        $key
        $csr
      eof
      }
    
      if [[ $# -ne 1 ]]
      then
        #Set host to a format that lends itself for the usage()-text
        host="<hostname>"
        expand_vars
        usage
        exit 1
      fi
    
      host="$1"
      expand_vars
    
      if [[ ! -r $conf ]]
      then
        echo "Cannot read config file $conf"
        echo "Please make a symlink in ./conf to $conf"
        exit 1
      fi
    
      for f in $key $csr
      do
        if [[ -a $f ]]
        then
          echo "$f exist! Please move/delete before attempting to generate new cert"
          exit 1
        fi
      done
    
      echo "Warning: Generating *new* key -- manually create cert if this is not what you want!"
    
      openssl req -config $conf -keyout $key -new -out $csr
    

chmod 0640 $key

Along with a config file of the form:

    
    
      #This is in conf/example.com.conf
      [ req ]
      default_bits = 4096
      prompt = no
      encrypt_key = yes
      default_md = sha1
      distinguished_name = dn
      utf-8 = yes
    
      [ dn ]
      C = EX #Company code
      O = Organization Name
      CN = example.com
      ST = State
      L = City
      emailAddress=you@example.com
    

More advanced scripting is possible -- but now I just copy the config-file and
edit the CN -- and run the script and end up with a separate key-file and csr.
Upload the csr to cacert.org, get back a cert that I save alongside the key
and the csr -- all named with timestamps of generation.

------
gwae
I just sent an security issue (via github).

~~~
dimastopel
Got it, thank a lot.

