Creating a CA for development, and signing SAN/UCC certificates

This post tasks about why I came up with https://github.com/jaysh/free-ca. If you want to dive straight into creating your own CA (and certificates), please dive straight into that project.


As time has passed, browsers have really turned their back on self-signed SSL certificates. This is perfectly understandable, of course: humans are probably the weakest link of the whole SSL system.

Originally, a browser would give a simple warning that the certificate was self-signed. These days, they take up a full-page splash before you're allowed to step through them. Even when you do, and in Chrome, the https:// recieves a nice red line through it to say "yes, this is https, but you're probably not as secure as you think".

Over time - I grew tired of this. Running Dokku allowed me to have project-name.dokku.lan.jay.sh which was almost like a dream come true. For security, I also wanted to run the projects over https. Storing an exception in your browser for project1.projects.lan.jay.sh is fine - but by the time I hit project10000.projects.lan.jay.sh, my patience soon wore thin.

The question is: why didn't I just pipe down and buy a SSL certificate? Because they're not cheap when you want more than one wildcard. You can get them one wildcard for ~$50 (which I was happy to pay), but what I am not prepared to do is pay $50 for *.jay.sh, another $50 for *.projects.jay.sh and so on. The point of a wildcard is so you don't need to buy more than one of them - so my use-case seemed to defeat their designated purpose.

Instead, I:

  1. Generated my own Certificate Authority (CA).
  2. Installed this CA in Firefox, Chrome, etc.
  3. Generate as many certificates as I liked, easily and conveniently.

In order to do this, I did a lot of research. I found that OpenSSL was not at all helpful when you wanted to generate a CA, nor when you wanted your CA to sign a certificate with many Subject Alternative Names (SANs). In fact - it was so unhelpful, it didn't even seem like it was possible to do it on the command-line. You had to manually edit openssl.cnf and inject the values there.

After much effort, and managing to figure out how to do it, I decided to wrap all of my commands is some really simple bash scripts dubbed FreeCA for everyone else to enjoy: https://github.com/jaysh/free-ca. Using this, it's a doddle to create the CA - and generate as many certificates you like, with each one containing as many SANs as you can shake a stick at.