I quite like the idea of TinyCert and often wanted to do something similar myself. Although creating a private CA is not a lot of work initially, maintaining it is a hassle, especially when you'd rather be doing something else. TinyCert could be useful for development teams (and other similar non-security-critical uses) to get rid of self-signed certificates altogether.
However, for me, the fact that they have all the private keys is a deal breaker. Further, I'd like to see the certificates name-constrained to specific development hostnames. And I don't like the fact that the keyUsage and extendedKeyUsage fields are not locked down. If I am going to install a private CA root, I want to have the smallest possible attack surface.
Overall, if they offer this as something that can be locally installed, it could be a useful product. Especially if it integrates with a low-cost HSM, for example https://www.nitrokey.com/
In the meantime, for anyone looking for good documentation on how to achieve the same using just OpenSSL on the command line, I have an easy-to-follow guide as part of my OpenSSL Cookbook:
https://www.feistyduck.com/library/openssl-cookbook/online/c...
The fact that they keep your private keys in their database is what makes this a bad idea to use.
Cannot see what kind of people this service is targeted to, since the ones who understand what a CA is and need to sign their own certificates probably already know how to use OpenSSL.
I believe this was mentioned last time TinyCert appeared on HN, but a self-hosted version of this would be more ideal.
I personally use etcd-ca[0] to ease management of my own certificates.
So just to be clear: whatever you do with the keys generated by this service is trivially pwn-able by TinyCert.
Maybe you trust TinyCert not to be malicious. But do you think they're completely unhackable? A database full of private keys is a mighty tempting reward for attackers.
I wouldn't touch private-key-generation-as-a-service with a 10-foot pole.
From their FAQ: "Your certificate authorities' and certificates' private keys are generated on the TinyCert servers and stored in the database."
It seems nice! A few days back I was playing a bit with golang's crypto and examples and I created a small cli app[1] to generate CAs and private key - certificate pairs signed by them. I wanted to create a small web service on top too (no need for sign up though, just check some fields and download a zip with your files) but haven't find time.
The most difficult problem imo, remains the management and not the creation of the keys and certs. I occasionally use them to connect backend services securely, so I have to install the root cert to every server OS and every JVM based app (here we create a keystore). Then I have to install each private key and certificate to the appropriate service. If the service is JVM based we also have to adjust its command line switches. Should a private key get stolen and we have one root CA for all services, we should delete and recreate everything. PKI is complex and with tens or hundreds of services its almost impossible to manage. Even the simplest task, like downloading a file from a nexus repository by a JVM based app using https and a free StartSSL certificate is very hard, since Oracle doesn't include StartCom's root CA.
As others said, the whole point of having your own CA is that you have full trust and control over it. If you give someone your root ca private key then you may as well not have your own PKI at all (I can't see the point).
re cli - pain^2 , I ended up using xca
This is insane. It's a service that generates private keys for you and stores copies.
Why would anyone want this? Or is my sarcasm detector way off?
It could be i'm totally missing the use-case for this, but personally I think if you can't take the 30 minutes to google one of the hundreds of guides that use OpenSSL commands and precompiled win32 binaries to generate three files you shouldn't be trusted with providing security for a website. Who are these people who need SSL and don't have 30 minutes to learn this once?
There are tons of scripts and other tools that handle the commands for you, too. Do I really need to sign up for yet another website just to perform one operation? (No, and neither should you)
There is CA functionality included in basic OpenSSL:
They mention StartSSL for production certificates. Beware that while creating certificates with them is gratis, REVOKING them will cost you money. https://www.techdirt.com/articles/20140409/11442426859/shame...
Not open source.
It's like self signed certificate. From their FAQ:
"...but any regular user's browser will rightly put up a big fat warning message as they do not trust the root certificate of your TinyCert CAs."
Not sure i got it right – is it some kind of self-signed/untrusted certificate generation as-a-service?
There's no such thing as "quick and easy" security..
yum install tinyca
While not the only one out there[1], I've been hacking a cli tool written in bash[2] to streamline the OpenSSL commands geared toward a PKI/CA workflow. I started it mainly for my overall learning of OpenSSL from nothing and for my small scale needs with my CoreOS servers.
What I learned from this exercise, is that it's not the complexity of the commands that is the issue with OpenSSL, it's:
1) The importance of consistent naming schemes (for the humans) and PKI hierarchy design (the nuances of keyUsage, basicConstraints, and extendedKeyUsage)
2) consistent execution of commands; typos are more likely the more you have to put in the CLI manually
3) good configuration files aren't utilized enough in most of the tutorials I found. They can streamline use, archive procedure, and prevent typos as in point #2.
4) The importing of certs and keys in an automatic way is a sort of dark corner of the tutorial world. But permissions are super important! I came up with an import strategy that I think works pretty well.[3] Please examine and break it!
[1]https://github.com/OpenVPN/easy-rsa
[2]https://github.com/brianclements/pkictl
[3]https://github.com/brianclements/pkictl#import