Hi HN! I'm Ben, co-founder of Anchor (<a href="https://anchor.dev/" rel="nofollow noreferrer">https://anchor.dev/</a>). Anchor is a hosted service for ACME powered internal X.509 CAs. We recently launched our features & tooling for local development. The goal is to make it easy and toil-free to develop locally with HTTPS, and also provide dev/prod parity for TLS/HTTPS encryption.<p>You can add Anchor to your development workflow in minutes. Here's how:<p>- <a href="https://blog.anchor.dev/getting-started-with-anchor-for-local-development-6dd2cd605c08" rel="nofollow noreferrer">https://blog.anchor.dev/getting-started-with-anchor-for-loca...</a><p>- <a href="https://blog.anchor.dev/service-to-service-tls-in-development-d0df479d67ce" rel="nofollow noreferrer">https://blog.anchor.dev/service-to-service-tls-in-developmen...</a><p>We started Anchor because private CAs were a constant source of frustration throughout our careers. Avoiding them makes it all the more painful when you're finally forced to use one. The release of ACME and Let's Encrypt was a big step forward in certificate provisioning, but the improvements have been almost entirely in the WebPKI and public CA space. Internal TLS is still as unpleasant & painful to use as it has been for the past 20 years. So we've built Anchor to be a developer-friendly way to setup internal TLS that fully leverages the benefits of ACME:<p>- no encryption experience or X.509 knowledge required<p>- automatically generated system and language packages to manage client trust stores<p>- ACME (RFC 8555) compliant API, broad language/tooling support for cert provisioning<p>- fully hosted, no services or infra requirements<p>- works the same in all deployment environments, including development<p>If you're interested in more specific details and strategy, our blog posts cover all this and more: <a href="https://blog.anchor.dev/" rel="nofollow noreferrer">https://blog.anchor.dev/</a><p>We are asking for feedback on our features for local development, and would like to hear your thoughts & questions. Many thanks!
What advantages over say, smallstep/certificates, letsencrypt/boulder, django-ca, square/certstrap, or hashicorp/vault (and e.g. OpenWRT's luci-app-acme ACMEv2 GUI) does Anchor offer?<p><a href="https://github.com/topics/acme">https://github.com/topics/acme</a><p>applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js:
<a href="https://github.com/openwrt/luci/blob/master/applications/luci-app-acme/htdocs/luci-static/resources/view/acme.js">https://github.com/openwrt/luci/blob/master/applications/luc...</a><p><a href="https://openwrt.org/docs/guide-user/services/tls/acmesh" rel="nofollow noreferrer">https://openwrt.org/docs/guide-user/services/tls/acmesh</a><p><a href="https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine" rel="nofollow noreferrer">https://developer.hashicorp.com/vault/tutorials/secrets-mana...</a> <a href="https://github.com/hashicorp/vault">https://github.com/hashicorp/vault</a> :<p>> <i>Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.</i>
I'm not sure I understand the value prop. For localhost, you typically just generate a self-signed certificate that doesn't need to be trusted by everyone, as the dev can just add it to their local store. There are also other services that provide ACME certificates for localhost domains, basically what you do for free (I can't find a link to one but it was posted on HN recently).<p>If you need a trusted certificate for local dev, something like Cloudflare Tunnels is more valuable as you can have other folks access the service.
I don't really understand how "hosted" and "internal" go together here - does this mean that a) the devices I need certificates for must connect to your servers, and that b) your servers could theoretically sign certificates for devices which do not exist? If so, especially for the latter point, this IMO isn't really useful for any real-world application, as the most important things of a CA is control.
Does this help at all with the issue of deploying the root CA cert on every device that will interact with services with these certs deployed? That seems to me to be the hardest part about running an internal CA. You've got to put it on everyones laptops as well as all your servers.
Feedback:<p>I don’t use services that require external services to auth with. I’ve stopped using GitHub whenever/wherever possible because of the ICE concentration camps thing and your service doesn’t allow me to log in or create an account without using GitHub.<p>Your website doesn’t say how much it costs.