I tend to create a private certificate authority for every side project, in order to create TLS certs for local development. I find it useful to have local development closely resemble production when at all possible, and "real" certificates are an important element.<p>Anyway I got tired of having these CA private keys on my local machine, especially as I started thinking about setting up a private CA for my company (<a href="https://riza.io" rel="nofollow">https://riza.io</a>). So I started thinking about what the simplest way to host a private CA might be.<p>You really only need two things: 1) secret storage, to hold the CA's private key, and 2) a computer with access to the secret that can run openssl.<p>It turns out that a GitHub repository has secret storage, and GitHub Actions provides a computer with access to that secret storage which can run openssl.<p>So I made a GitHub repo with a stupid-simple workflow and a couple of convenience shell scripts to use as a private CA. I've already used it as a template repo to host private CA's for my projects, and thought it might be useful to others.
Thanks so much for putting this together. It’s stupid simple but that’s all it needs to be.<p>I did something similar in the past for a self-hosted workflow, but this looks a lot more well put-together, and honestly I never thought about using a git repository for a PKI even though it’s really perfect for one.<p>Edit: what I did in particular was automating easy-rsa to manage a PKI.<p>I wonder if using easy-rsa via GitHub actions would make sense over the shell scripts here. I didn’t look at them yet, but easy-rsa basically <i>is</i> a handful of shell scripts to run a local PKI. I think it originates with the OpenVPN project, but it’s flexible enough to use it for anything
For the exactly the same reason (local development closely resemble production when at all possible) I develop inside VPS via VSCode RemoteSSH and manage certificates (and everything else) exactly as in production