In 2010 I created an SSL certificate authority to provide SSL certificates for various services & websites I was building. At the time, "Let's Encrypt" did not exist and there were few other options for free certificates. Many browsers were starting to present warnings when certain types of web content were presented without SSL/TLS protection and it seemed prudent to roll my own instead of planning to invest in an annual cost just to have publicly trusted certificates.

In 2020 the original CA certificate expired and I was forced to redo the whole process in a short amount of time. I had thought about implementing some of the new best-practices however with the advent of Let's Encrypt in 2014 the cost/benefit analysis shifted in favor of limiting what the internal CA would be used for and thus eliminating a lot of the benefit of the added complexity.

These days the CA is used only for internal hosts and services that are not exposed to the internet. I don't publish the root CA certificate any longer and this page is more just to document what I learned in the period of time I had to manage my own CA.

TLS and public trust

My all-time biggest gripe with TLS is that it is based on a weak foundation from inception. The root of the trust chain is a set of supposedly publicly audited and vetted authorities, however in practice it's really just a rubber-stamp for as little as $10/year. There's no functional difference in a practical sense from using a "free" certificate versus a $100/year+ certificate. Users simply don't treat TLS as a "caveat emptor" rather a "caveat venditor" proposition. In other words, the user expects that the TLS vendor is strictly liable for protecting them as opposed to the user taking responsibility for any part of the trust chain.

TLS and non-web technologies

One of the biggest problems I had with TLS was its use in VPN products such as OpenVPN and IKE IPSEC. The need to generate a time-limited key pair and then have that enforced by the VPN software was a massive management/maintenance burden. I have since started to transition to wireguard for site-to-site links which removes the time sensitivity and will hopefully end the random VPN dropouts in cases where certificates fall through the cracks.