Hacker News new | ask | show | jobs
by jrabone 4922 days ago
Quite. You, are, of course, free to run your own CA. I rather like my version (a custom minimal Linux virtual machine, ~ 16MB, stored on an IronKey). Built from source, reasonably tamper-proof, works offline, encrypted at rest. It's a bit of pain to remember to reset the time/date every time I boot it, but it works quite well.

Sadly you'll spend the rest of your time installing your root certificates in everything (good luck with mobile devices, I have torn my hair out in the past with Sony-Ericsson; Oh, you have to drag the specially-named-file-in exactly-the-right-encoding onto the HIDDEN node in the PC-suite-file-explorer-horror-window, of course. HOW OBVIOUS.)
2 comments
gravitronic 4922 days ago
Can you elaborate why you've spent the considerable time to do this? Do you habitually travel / connect to completely nefarious networks?
link
jrabone 4921 days ago
Much for the same reasons I run my own mail server - because I can, I learned something doing it, it gives me more control than I'd otherwise have. I also don't trust any network with plain-text credentials so TLS was a requirement for mobile email.

IronKey was something I already used, so it was natural to try and build a minimal CA that fit on it.

Given the choice I'd prefer a good VPN solution but the aforementioned pre-smartphones simply couldn't do that and SSL VPNs weren't common, so TLS was what we had. Now, that little CA primarily gets used for generating Xauth-RSA certificates for my IPSEC VPNs...

link
newman314 4921 days ago
Any chance you could release a scrubbed setup or a blog post?

I'm looking at doing this and rather not have to slog through the nuances if possible. (I deal with certain on a sufficiently infrequent basis that I have to actively try to figure the steps again. One of the frustrating things of having to deal with cryptic options)

link
gravitronic 4921 days ago
neat, thanks for the followup!
link
jcase 4921 days ago
Actually, I've thought about starting a "real" CA (read: get certified etc). I'm not sure the world needs another one though.

Your experience running a homebrew setup is exactly why I think CAs will continue to exist—even if self-signed certs would be widely supported via DANE. I doubt many businesses are going to run their own CA in order to save < $1000 a year.

link
raylu 4921 days ago
So did Honest Achmed, but he got shut down. https://bugzil.la/647959
link