[andmarios]

It seems nice! A few days back I was playing a bit with golang's crypto and examples and I created a small cli app[1] to generate CAs and private key - certificate pairs signed by them. I wanted to create a small web service on top too (no need for sign up though, just check some fields and download a zip with your files) but haven't find time.

The most difficult problem imo, remains the management and not the creation of the keys and certs. I occasionally use them to connect backend services securely, so I have to install the root cert to every server OS and every JVM based app (here we create a keystore). Then I have to install each private key and certificate to the appropriate service. If the service is JVM based we also have to adjust its command line switches. Should a private key get stolen and we have one root CA for all services, we should delete and recreate everything. PKI is complex and with tens or hundreds of services its almost impossible to manage. Even the simplest task, like downloading a file from a nexus repository by a JVM based app using https and a free StartSSL certificate is very hard, since Oracle doesn't include StartCom's root CA.

[1] https://github.com/andmarios/quickcert