Ask HN: Why shouldn't I setup a site that gives away SSL certs for local dev?

1 points by mrmattyboy ↗ HN
TLDR - Fundamentally, what's wrong with hosting a service that provides it's own SSL cert (public and private) for others to use for local development

For quite a few projects, I use a standard domain for which I have the SSL certs for.

Some of these projects require an SSL certificate to function (maybe for external requirements etc.)

To onboard people to the project, asking them to get a valid SSL certificate can be a pain..

Obviously getting them to create a CA certificate, generate a server cert etc. and adding the CA cert can be a pain.

So my thought was to share a common set of keys that are only used for local development for a non-functioning domain.

But I took this thought a step further... why shouldn't there be (or I create) a service hosted on a real domain, which provides it's own SSL certificate - providing the public and private key to anyone that requests it (e.g. https://mylocaldev.com/public.pem / https://mylocaldev.com/private.pem).

Maybe the certificate could be for a sub-domain of the actual domain, which doesn't host the actual 'site' that provides the certs (e.g. https://mylocaldev.com/certs.pem provides the certs for https://dev.mylocaldev.com)

This way, anyone could obtain the SSL cert, add the domain to their hosts file and use the certs for hosting apps locally.

Obviously, standard points:

* This is a blatant issue for MITM attacks

  - But what would they be intercepting.. the public/private key?.. who cares?
* The SSL traffic generated by the applications that people use the certificate for could be 'MITM'ed or decrypted

  - Again, if it's local development, I can't see a difference over hosting local applications without any SSL encryption
Maybe I'm missing something else? If not, how has something like this not already been done?

On the flip side, am I right in thinking this _would_ solve real-life problems that people face?

Certainly feels easier than using tunneling software that SSL-wraps the traffic (https://github.com/localtunnel/localtunnel) - though obviously this is only a small benefit of using applications like that (i.e. making your local development environment publicly accessible).

7 comments

[ 3.2 ms ] story [ 28.1 ms ] thread
[dead]
Wow, thank you :) Exactly what I was looking for!! :)

Though the SSL cert for their site appears to have just expired :/ Hopefully this is only temporary

Anyone can immediately revoke your cert.
Is the only prerequisite for revoking a certificate is to have the private key?

At least from letsencrypt, it seems you also need the original account cert or by re-validating ownership of the domain

> Is the only prerequisite for revoking a certificate is to have the private key?

Yes. Knowing the key is evidence of key compromise, key compromise means the cert must be revoked within 24 hours of the CA learning about it.

People can generate certificates as they please, including for public domains.

The only thing well-known CAs bring is that they work out of the box in browsers/OSs as they act as trusted third parties, but you can add you own CA to your browser/OS if you wish. No sharing of private keys involved.

(comment deleted)