“multicolored bullet camera” by Andres Umana on Unsplash

https://xhttps.io is a beta SaaS application that generates CA and server certificates. It’s like Lets Encrypt, but for development or private VPC.

When creating certificates, there is a lot of reading you need to do. How do you create a certificate? How do I get my browser to trust me? What is a SAN? After all that, most of the time I end up just disabling SSL certificate verification ( -k/--insecure with curl) Which is just as good as no ssl, and it makes things harder than plain text. I sometimes have services that need to interact with each other over https. Check out the StackOverflow discussion “How to create a self-signed certificate with openssl?” to see what I mean — it has been viewed over 1 million times.

Self signed certificates make things difficult to automate. If you don’t have time to read the stack overflow post, the short answer to self signed certificates is:

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 -subj '/CN=localhost'

This allows you to start a server, but … good luck if you want to securely connect to it. There are many solutions, but there are no easy solutions that work across all browsers, clients and platforms.

Some browsers don’t exactly make it easy to import a self signed server certificate. In fact, you can’t with some browsers, like Android’s browser. So the complete solution is to become your own authority.

That is where xhttps.io comes in. xhttps.io allows you to create disposable certificate authorities on demand from a simple web endpoint https://xhttps.io/certify/your.dns.name .

(xhttps.io also allows you to log in and create your own permanent certificate authorities, but I will write about that in a different post)

Walkthrough: Using xhttps.io

In this walk through, we will create certificate bundle xhttps.io, create a server, then authenticate with that server from a client.

Create a certificate for development

In our first test case, lets create a new certificate and CA for the DNS name localhost

curl https://xhttps.io/certify/localhost > bundle.zip

unzip bundle.zip

That’s it! We could have just as easily chosen another DNS name like test.127.0.0.1.xip.io

curl https://xhttps.io/certify/test.127.0.0.1.xip.io > bundle.zip

unzip bundle.zip

The end result is that we have created and downloaded three files in the unzipped folder ./bundle/

ca.crt : This is the certificate authority bundle, it can be shared and distributed. This file can be used by individual client applications or machines to trust cert.pem and key.pem

: This is the certificate authority bundle, it can be shared and distributed. This file can be used by individual client applications or machines to trust cert.pem and key.pem cert.pem : This is a public certificate. It works together with key.pem to enable https on a server.

: This is a public certificate. It works together with key.pem to enable https on a server. key.pem: This is a private key, It works with cert.pem to enable https

The private key.pem - and corresponding key that created ca.crt - were created on the xhttps.io server and discarded after the request is finished. No two keys will be the same each time you call this endpoint.

Start an https server

Now that we have cert.pem and key.pem we can use them to create an https server. If you don’t already have a server in mind, lets use this simple node.js server. It will just serve up the contents in the current directory:

npm i -g http-server

http-server . -S -C bundle/cert.pem -K bundle/key.pem -d -p 8443

If you try to access the server you will get an expected error like this. (similar to what you get with a self-signed certificate):



curl: (60) Peer’s Certificate issuer is not recognized. curl https://localhost:8443/ curl: (60) Peer’s Certificate issuer is not recognized.

With self signed certs it is typical for developers to use -k or --insecure to ignore this error. But not with xhttps.io! This is because you can use the other file ca.crt to ensure trusted communication between your clients and servers.

Trust the certificate authority

Ok, that’s nice, but wouldn’t it be great to install ca.crt globally? so curl will just work? You can do that with the xhttps.io/manage script.



sudo sh ./manage.sh install bundle/ca.crt curl https://xhttps.io/manage > ./manage.shsudo sh ./manage.sh

Now curl will work as expected every time without the --cacert option.

This will even work in your browser too.

Next Steps

Now that you are running securely in development, wouldn’t it be nice if you didn’t need to install the ca.crt for every domain? Hint: you can login to xhttps.io/console. But I will save that for another post.