Actually I think I see a better safer easier way
make/cache self-signed certificates in users home directory, hash them on their domains/ips for reuse, automate trust installation
This prevents them from being used for any domains other than the domains specified in the certificate
furthermore you could have the tool restrict which domains can be created for security reasons
Certifiable is a great name, by the way :)
Wouldn't an attacker just replace the file in the user's home directory? If trust installation is automated.
@dominicm not that automated 🙂 when you create the certificate you are queried wether to install it
its kinda obvious
delete the keys
folks can trust a root that has no keys
and the leaf certificate keys can’t be used to sign any new certs
then cache based on the domains, ips to eliminate asking for trust over and over
Interesting, a tool can even go one step further: never write the priv keys to disk. Keep in memory.
I'll be honest, I still don't entirely understand the use-case of hitting up localhost with ssl.