Do you fall into any of the following groups? You’re a:
- Webmaster with a few internal websites that you’d like to protect with SSL but don’t want to pay anything?
- Sysadmin with a few internal servers, you’re sick of certificate warnings and want a quick fix?
- [Web] developer needing to test application compatibility with HTTPS and sick of self-signed certificate warnings?
- Security penetration tester wanting to audit a platform in a test environment over HTTPS, but no one wants to pay money because “it’s only test”.
- Quality assurance tester needing to test an application with HTTPS but your script breaks because of self-signed certificate warnings?
The best solution is to implement your own PKI or “public key infrastructure” which good ol’ Wikipedia tells us is a “set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.” The problem with that is it’s outrageously over the top.
Take a deep breath, count to 10… then go to this website (https://www.tinycert.org/).
In literally seconds you can implement your own certificate authority (CA). For the novices; the certificate authority (CA) is much like that best friend you have who knows everyone. If they trust someone, it’s very reasonable you can trust them too. It allows websites to say “I’m trusted by” your friend, so it’s safe for you to trust me – this is when the little green lock appears. With your own CA, you decide what is trusted and who new certificates are created for.
Life members out there will respond with “you’ve always been able to do that with OpenSSL on the command line” – and they would be correct.
But here’s 11 advantages to use TinyCert over traditional options:
- It literally takes seconds to implement (minutes if you’re a slow typer)
- No technical background is required to create the CA and start issuing your own certificates
- You don’t need to write a script or use the command line
- TinyCert.org is nice and easy to remember
- Share the logins among colleagues for self-service certificate creation
- You’ll get automatic renewal emails
- It’s not associated with Active Directory or any of the complexity surrounding it
- It’s perfect for non-production platform testing
- No domain name, company or staff verification, no paper-work, no IT department necessary
- Issue certificates by a name you choose (Acme Pty. Ltd.) and for common names you need (test.acme.net)
- The elegance is in the simplicity.
What’s the Catch?
No catch. And it’s 100% free.
Obviously you need to do a small amount of work to add your newly created CA into the “trusted certificate authority store” on computers you’re testing on.
Detailed help on the TinyCert website describes how to add your new certificates to Apache, nginx and IIS web servers; as well as adding your CA into your computer’s certificate store. If you need anymore help for your operating system or browser, Google is your friend as always.
Why are you mentioning this?
Because all users of technology have wrongly become accustomed with sending sensitive information across networks in plain text for too long and for no good reason. The public internet has long been a dangerous place, but one we still send our kids out to play in.
Any project that assists in improving application compatibility with secure protocols like HTTPS, aides making applications over SSL the norm, makes security easier to utilise and access – deserves a massive thumbs up from me!
Credit where credit is due
If you’re as pleased with their amazingly simple service as I am, buy them a cup of coffee as I did to show how much their hard work is appreciated. Maybe even two coffees… just a suggestion…. (Go on, you’d lose the $4.80 to the lounge cushion gods anyway, waste not want not).