Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah this should be revoked. Mozilla's CA acceptance programs mandate that the CA revokes the cert if the key gets compromised, and I presume others do too.

> If you have a test domain you can stick it on CloudFlare and get a certificate for free without the private part becoming public.

It all comes down to the fact that CA's don't want you to sign your own certificates, even when it's one of your subdomains unless you pay the big bucks. Best thing to do it still to create your own CA and sign certs for these kinds of things since it's meant for testing and development anyway. It's not that hard, anyone can use some command line can do it.



I'm surprised there's no "CA-tool-as-a-service" where the CA provides an API (and maybe a CLI tool that uses that API) allowing you to automatically request-and-generate certs from their CA server provided it's for a subdomain of a domain you have on your account.


That's essentially what Let's Encrypt aims to be: https://letsencrypt.org/


Have a look at the "certificate" section of Gandi's API https://github.com/Gandi/gandi.cli/blob/master/gandicli.man....

And check out SSLmate https://sslmate.com/


Check out OpenStack's Anchor project, it is exactly this.

If the people behind the post used anchor, then the issues mentioned here would be absolved.


Nearly every CA has an API already, you can add automated Domain validation yourself over a weekend.


Typical way to tackle sub-domains would be to issue a wildcard certificate.


This would be for subdomains with their own "sovereignty"; e.g. Tumblr or Wordpress blogs, where the subdomain "owner" could conceivably want to issue their own subdomains, or, heaven forbid, do client-cert signing for their subdomain.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: