

Show HN: TinyCert – Certificates as a service - shdon
https://www.tinycert.org/

======
akerl_
"Is it safe? ... Unless you install your own CA certificate in the browser or
in the root certificate store of whatever other technology you use, they will
complain about not being able to validate the certificates. This does not mean
they are unsafe, just that they don't know to trust the certificates."

Not being able to trust that you're talking to who you think to are seems like
a serious example of "not safe".

Teaching users to click through the warning screen is a serious anti-pattern;
the reason browsers keep making it scarier / harder is to try to stop the
security theatre that occurs when using untrusted certs.

~~~
robbiet480
Instantly clear to me that this is for internal tooling use only.

"For what would I use TinyCert certificates? Any place you would use (or
should have used) self-signed certificates. Don't leave admin panels, such as
phpMyAdmin, a CMS or a webmail install without some protection to keep your
password from being intercepted. Use them to protect your test and development
installations. Use them on your local POP or IMAP servers. Or use them to test
your own code involving certificates." \-
[https://www.tinycert.org/faq#use](https://www.tinycert.org/faq#use)

------
mappu
_> The generated keypairs are 1024-bit RSA public and private keys ... This is
sufficiently strong for use on the web in the present day_

1024-bit RSA certificates are considered deprecated, no longer issued, and if
they don't already throw browser warnings then they will soon.

~~~
iancarroll
Indeed, this should be changed. The root is 2048 bits, but it's still
unacceptable to issue 1024-bit certificates.

~~~
shdon
I will indeed update this. It is still a work in progress.

~~~
shdon
And now it has been updated. Any new CSRs generated will be 2048-bit.

~~~
cmdrfred
What a quick fix, I'll bookmark this and watch what it becomes.

------
sslcom
Pretty slick app, clean and easy. It has a ways to go to be adopted in a
production environment if that is indeed the goal, but it's a good start.

------
themartorana
I was glad to see this was free, as it's not _that_ difficult to do this in a
development environment. That said, as someone that once created an OSS tool
used by tens of thousands of developers - and had one single donation sent my
way - I'll probably donate to the developers.

It's great utilities like this that can help introduce you as a developer in a
crowded community.

I believe in karma - put something out there for others and it will come back
in droves. So, really cool little tool, thank you! And thanks for making it
free, I hope Karma treats you well!

Edit: formatting

~~~
kolev
This is not an OSS project though. It's free, but not OSS.

------
hsivonen
Not cool. Private keys generated on their servers and then the idea of
inatalling the certs as trusted in your OS/browser is mentioned. Also 1024-bit
keys. Is this some kind of test to see who falls for this?

~~~
shdon
This is not intended to be a substitute for a proper CA, not intended to be
used in production. Only for convenience and if you trust yourself and the
service, you can install the your root certificate in your browser. If not,
then don't. Just like pushing past the security warning, I strongly recommend
against the procedure to end users. Only to people who know what they are
doing.

------
geoffhotchkiss
It's nice that this service is trying to make it easier, but why should anyone
trust tinycert? How can I trust that tinycert won't issue certificates without
my concert? Or sell my private keys to others?

The commands really aren't that complicated. You can (and really should) learn
how to do this if you need to issue certificates.

Also, deleting CA's doesn't seem to work.

~~~
shdon
Thanks for the bug report. I'll look into that.

As for why to trust it... you won't know to trust me any more than a real CA.
With a real CA you also only have their word. I've taken as many steps as I
can to ensure that the private keys are not kept unencrypted anywhere where
this is not needed (and they are only needed when signing something and when
you request a download) and that the passphrase is in flight as short as
possible.

While anything is theoretically possible with enough malicious intent, I've
made the selling private keys or issuing certificates with your private key
without your consent as exceedingly difficult as possible for myself.

~~~
shdon
Deletion is fixed.

------
tatterdemalion
This obviously should not be added to the list of trusted CAs in any browser,
and these certs should not be used in the public web. Unfortunately, neither
should many certificate authorities be trusted.

[https://www.youtube.com/watch?v=pDmj_xe7EIQ](https://www.youtube.com/watch?v=pDmj_xe7EIQ)

~~~
shdon
Just to clarify: there is not 1 root certificate for all of the TinyCert
generated certificates. There are root certificates for every single account.
I did this intentionally to ensure that nobody would be careless enough to
trust such a root and thus implicitly trust every TinyCert certificate
everywhere. Basically, only the people who created their own CA through
TinyCert have any business installing their root certificates (and only
theirs!) into their browsers.

------
opless
This is very much like something I built years ago.

It was just a front end to a back end that didn't exist yet, but it's brought
back some nice memories. Thanks!

------
neonlex
I don't like the idea of not having my development certificates under control.
They should be as secure as the production certs in my opinion. I use PHPKi
for that purpose, it's not pretty but easy to setup and it runs in my own
environment.

------
kolev
I just wonder why there's zero info about who's behind this.

~~~
rolfvandekrol
This guy: Steven Don (@shdon):
[https://twitter.com/shdon](https://twitter.com/shdon)

Same nickname as the OP and tweets about tinycerts.

~~~
kolev
Thanks! It's a great project and better transparency will definitely help its
adoption.

