HTools Certificate Authority

just kidding, kinda.

This is an ACME server, similar to what LetsEncrypt runs.

But, instead of signing your certificates being signed by a trusted CA, it creates a self-signed certificate. This can be used with DANE to secure Handshake websites.

# Have a web server serving HTTP already: HTools Blog Post
# Install certbot (or any client) normally:
# Get a certificate and install it like:

sudo certbot --nginx -d your_tld.or_sld \
    --server --reuse-key

# Use a valid email above to receive the final step email (adding a DNS record)

Why does this even exist?

Because you can use any ACME client (like certbot) and take advantage of existing plugins for all kinds of web servers. Also, there's no need to bother with OpenSSL and TLSA.

What if the CA is compromised?

Nothing happens. A new CA key is generated for every issued certificate and then destroyed immediately. And with DANE, it really wouldn't matter anyway.

I don't want emails.

Emails are only sent when certificates are issued. If you already know what to do and really don't want them, then add a +noemail to the end of your email address like:


Feel free to join Handshake's Telegram or Discord groups and we'll do our best to figure out how to fix.