HTools CA

This is an ACME server, similar to what LetsEncrypt runs.

But, instead of signing your certificates being signed by a trusted CA, it creates a self-signed certificate. This can be used with DANE to secure Handshake websites.

# Have a web server serving HTTP already: HTools Blog Post
# Install certbot (or any client) normally: https://certbot.eff.org/
# Get a certificate and install it like:

sudo certbot --nginx -d your_tld.or_sld \
--server https://acme.htools.work/directory --reuse-key

# Finally, set the TLSA record from https://acme.htools.work/tlsa

Why does this even exist?

Because you can use any ACME client (like certbot) and take advantage of existing plugins for all kinds of web servers. Also, there's no need to bother with OpenSSL and TLSA.

What if the CA is compromised?

Nothing happens. A new CA key is generated for every issued certificate and then destroyed immediately. And with DANE, it really wouldn't matter anyway.

I want the TLSA email.

To receive emails containing TLSA records when certificates are issued, add a +email to the end of your email address like: foobar+email@gmail.com.

Help!

Feel free to join Handshake's Telegram or Discord groups and we'll do our best to figure out how to fix.