Custom SSL Certificate Authority?

Question

Is there a custom SSL certificate authority I can add to my browser?

We use lots of internal urls like

http://www.somproject.somebranch/ for working on individual branches

It would be cool if there was some service I could add to my browser/OS which would let me use a single cert (or easily generate certs) for non-real domains. Does this exist, or is this just a #firstworldproblem?

Answer 1

The point of a custom CA is that you have to create it yourself (by being the holder of the private key for the CA certificate, in particular). Importing just any available CA certificate into your browser would mean that anyone with its private key could issue certificates recognised by your browser (usually for any site, unless there is a specific policy).

There are a few tools to manage a CA:

• OpenSSL's CA.pl: it's a script that comes with OpenSSL. It's quite basic but highly configurable (via openssl.cnf).
• TinyCA is a front-end to OpenSSL that helps you manage your certificates with a GUI. It's a bit more manageable than CA.pl.
• OSX comes with its own interface in Keychain.app.
• There are a number of other tools listed in this Security.SE question: EJBCA, OpenCA and XCA.

Most of the hard work is the administrative part (not so much sysadmin, but paperwork) in general. If it's just for you, EJBCA or OpenCA might be overkill.