[ivanr]

I quite like the idea of TinyCert and often wanted to do something similar myself. Although creating a private CA is not a lot of work initially, maintaining it is a hassle, especially when you'd rather be doing something else. TinyCert could be useful for development teams (and other similar non-security-critical uses) to get rid of self-signed certificates altogether.

However, for me, the fact that they have all the private keys is a deal breaker. Further, I'd like to see the certificates name-constrained to specific development hostnames. And I don't like the fact that the keyUsage and extendedKeyUsage fields are not locked down. If I am going to install a private CA root, I want to have the smallest possible attack surface.

Overall, if they offer this as something that can be locally installed, it could be a useful product. Especially if it integrates with a low-cost HSM, for example https://www.nitrokey.com/

In the meantime, for anyone looking for good documentation on how to achieve the same using just OpenSSL on the command line, I have an easy-to-follow guide as part of my OpenSSL Cookbook:

https://www.feistyduck.com/library/openssl-cookbook/online/c...

[methou]

I agree with maintaining is a hassle, but creating a private CA is also not that easy. I was building up my own CA, there was still a lot of stuff to take care of, from policies/keyUsages to CRL/OCSP/SECP, when ECC comes in, encryption and decryption usages sometimes could be separated. There's whole lot of tiny little details somewhere makes me to rebuild the CA. I'm on G32 revision.

And the nitrokeys are great, I've never expected an affordable HSM for home/private use, thank you for mentioning it. I think I'm going to roll out G33 ;p