Show HN: Abusing a GitHub repo as a private certificate authority (github.com)
Anyway I got tired of having these CA private keys on my local machine, especially as I started thinking about setting up a private CA for my company (https://riza.io). So I started thinking about what the simplest way to host a private CA might be.
You really only need two things: 1) secret storage, to hold the CA's private key, and 2) a computer with access to the secret that can run openssl.
It turns out that a GitHub repository has secret storage, and GitHub Actions provides a computer with access to that secret storage which can run openssl.
So I made a GitHub repo with a stupid-simple workflow and a couple of convenience shell scripts to use as a private CA. I've already used it as a template repo to host private CA's for my projects, and thought it might be useful to others.
7 comments
[ 2.7 ms ] story [ 24.9 ms ] threadI did something similar in the past for a self-hosted workflow, but this looks a lot more well put-together, and honestly I never thought about using a git repository for a PKI even though it’s really perfect for one.
Edit: what I did in particular was automating easy-rsa to manage a PKI.
I wonder if using easy-rsa via GitHub actions would make sense over the shell scripts here. I didn’t look at them yet, but easy-rsa basically is a handful of shell scripts to run a local PKI. I think it originates with the OpenVPN project, but it’s flexible enough to use it for anything