Why I’m a CA and you can too…

SSL Certificates are expensive, and most CAs aren’t that respectable anyhow, so why are we all using their certificates to prove we trust each other? I figure you’re here for one of two reasons. You’re either my friend and got here accidentally or you’re looking for computer advice; you either trust me because we’re friends, or you trust me enough to make your computer work better.

Either way, you trust me enough to bypass the invalid SSL warning that people get when viewing my site. Since most of what I write isn’t end-user oriented, I make a lot of assumptions, and one of those is that it is easier to add an exception than it is to constantly click ‘go ahead’. Rather than doing that, I figured I’d make available the CA chain for my home DC, so that you too can do things properly.

Most people agree that CA’s are bad because who knows if you can trust them, they constantly fuck up their own security, knowingly issue keys to generate fake SSL certificates, charge extortionate rates, and generally behave unlike someone I should trust.

I’d much rather be able to add certificate chains based on the level of trust I place in a website than rely on some corporate list of companies that continue to prove themselves untrustable. So, here’s my CA info. This is run off of a domain controller I have in my house, and the following will always link to the latest Certificate, CA Chain, and revocation lists:

The CRL has two parts, the Base, which is the whole list, and the Delta, which is the differential between the previous version. You probably want the full version if you didn’t already know that.
MD5Checksum: bc192d220f088fdcfcc6d09e524b6be1  Base.crl
MD5Checksume602a8a970005cf81bfcc4c603a78226 Delta.crl 

Certificate Authority:
MD5Checksum: 37a16f9a5918c529ed37e7706a858282 CA.cer

Certificate Authority Chain:
MD5Checksum: da7ec588df2ccdf8741fd26c656861fb CA.Chain.p7b

MD5Checksum: 0b90f71ab6e09466c75d2290edc072c8 Latest.tgz

MD5Checksum: bf9a0a4831dc34dae3bf0686a01f8469 Latest.zip

I’ll be switching the site to self-signed certs as soon as my current cert expires. So, still a while to go.

UPDATE: Turns out doing this just knocks your web traffic down by about 95%, so don’t bother. :(