Show HN: I rewrote my 2012 self-signed cert generator in Go – cert-depot.com

9 points by dimastopel 45 days ago | 1 comment

Back in 2012 I built https://cert-depot.com as a weekend project. Node.js + Express + jQuery, shelling out to OpenSSL for certificate generation. It worked but I eventually let it rot. https://news.ycombinator.com/item?id=4766743

Rewrote it from scratch in Go. The entire thing is a single binary with no external dependencies:

1. Certificate generation uses Go's crypto/x509 (no OpenSSL)

2. Certificates are generated in memory and streamed directly — nothing is stored on the server

3. RSA 2048/4096 and ECDSA P-256/P-384

4. Subject Alternative Names (required by browsers since Chrome 58)

5. ZIP (PEM files) or PFX/PKCS#12 output

You comments / suggestions / bug reports are very welcome. Thanks.

Source: https://github.com/dimastopel/certdepot

toddgardner 45 days ago |

Nice rewrite. The SAN support is the right call, a lot of older generators trip on that.

One thing worth knowing if you're using this for internal services: generating the cert is the easy part. Getting the CA cert into the trust stores of everything that needs to trust it is where self-signed deployments usually turn into a maintenance problem, especially across a mix of Linux servers, Windows machines, and Java apps with their own keystores.