Show HN: Abusing a GitHub repo as a private certificate authority (github.com)

26 points by stanleydrew ↗ HN
I tend to create a private certificate authority for every side project, in order to create TLS certs for local development. I find it useful to have local development closely resemble production when at all possible, and "real" certificates are an important element.

Anyway I got tired of having these CA private keys on my local machine, especially as I started thinking about setting up a private CA for my company (https://riza.io). So I started thinking about what the simplest way to host a private CA might be.

You really only need two things: 1) secret storage, to hold the CA's private key, and 2) a computer with access to the secret that can run openssl.

It turns out that a GitHub repository has secret storage, and GitHub Actions provides a computer with access to that secret storage which can run openssl.

So I made a GitHub repo with a stupid-simple workflow and a couple of convenience shell scripts to use as a private CA. I've already used it as a template repo to host private CA's for my projects, and thought it might be useful to others.

7 comments

[ 2.7 ms ] story [ 24.9 ms ] thread
For the exactly the same reason (local development closely resemble production when at all possible) I develop inside VPS via VSCode RemoteSSH and manage certificates (and everything else) exactly as in production
This is one of the best things about running a home hypervisor machine (the kids call it a “homelab” these days) — I can locally deploy a development VPS like that for no extra charge, just by cloning a template.
I'm 40 ... havent we always called it a home lab lol
Thanks so much for putting this together. It’s stupid simple but that’s all it needs to be.

I did something similar in the past for a self-hosted workflow, but this looks a lot more well put-together, and honestly I never thought about using a git repository for a PKI even though it’s really perfect for one.

Edit: what I did in particular was automating easy-rsa to manage a PKI.

I wonder if using easy-rsa via GitHub actions would make sense over the shell scripts here. I didn’t look at them yet, but easy-rsa basically is a handful of shell scripts to run a local PKI. I think it originates with the OpenVPN project, but it’s flexible enough to use it for anything

Maybe if I feel motivated enough I’ll fork it and make one that uses easy-rsa, because when I look at this I don’t really see any provisions to do anything like revoking, for instance. Or really much of anything besides signing CSRs.
I could add revocation but then I'd need a place to persist the CRL. I could persist it back to the repo itself, but I didn't want to add more complexity at the start. It's probably worth considering though, so I've added an issue.
I think Windows will need a few more extensions. Openssl has a template for them. Also special cert extensions for codesigning, wifi, ...