Every computer connected to the internet today has a series of "certificate stores" contained within it. These stores are crucial to encrypted communication everywhere, but their state often drifts between providers and can many times extend trust further than users expect.
The underlying Certificate Authority technology doesn't offer solutions for fine grained management, active countermeasures and misuse prevention for end-user machines. Any system you buy will come loaded with trust of countless CA's, which means that your encrypted connections are at risk of eavesdropping or misrepresentation if any CA creates privacy-destructive or nefarious certificates. Read up on the background if you're interested.
Trust with another party needs to be earned, not defaulted. cert-manage
is a tool to give users easier control of their trusted x509 Certificate stores on their systems and applications.
cert-manage
offers a few features currently: List, Whitelisting and Backup/Restore. These are explained as follows:
Download the latest release or build from source with go get github.com/adamdecaf/cert-manage
# List certificates trusted on your system (or app)
$ cert-manage list
$ cert-manage list -app java
Certificate
SHA256 Fingerprint - 3a43e220fe7f3ea9653d1e21742eac2b75c20fd8980305bc502caf8c2d9b41a1
SerialNumber: 246153180488710619953605749449532672687
Subject: VeriSign, Inc., Class 2 Public Primary Certification Authority - G2
Issuer: VeriSign, Inc., Class 2 Public Primary Certification Authority - G2
NotBefore - 1998-05-18 00:00:00 +0000 UTC, NotAfter - 2028-08-01 23:59:59 +0000 UTC
IsCA - false
...
$ cert-manage list -file example.crt
$ cert-manage list -url https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
# Trim down what CA's are trusted on your system
$ cert-manage whitelist -file urls.yaml # or json
$ cert-manage whitelist -app chrome -file urls.yaml
# Backup and Restore the current trust
$ cert-manage backup
$ cert-manage restore [-file <path>]
cert-manage
abstracts over the differences in Certificate stores for the following platforms:
Level | Platforms(s) |
---|---|
Full Support | Linux (Alpine, Debian, Ubuntu) |
Partial Support | Darwin/OSX, Windows |
Also, cert-manage
abstracts over the following application's certificate stores across the supported platforms.
Level | Application(s) |
---|---|
Full Support | Java |
Partial Support | Chrome, Firefox, OpenSSL |
There have been numerous recent exploits in the wild surrounding CA's (Certificate Authorities) that don't understand the power they have on every system which trusts communications signed with their keys. Additionally distributors of certificate stores have started to become aware and demand stricter working requirements from CA's, but the power is not readily available in the users hands for them to make these decisions themselves.
Below is a short list of incidents over the past couple of years (2015-2017) from CA's either acting carelessly or maliciously.
www.sb
which should not have been generated. It has since been revoked.I'm always looking for new contributors and anything from help with docs, bugfixes or new certificate store additions is gladly appreciated. If you're interested in contributing then pull down the source code and submit some PR's or join ##cert-manage
on the freenode irc network.
You can build the sources with make build
. Run tests with make test
. Currently we required Go 1.10.
Note: Many tests will run if docker is enabled/setup. To disable this run commands with MOCKED=true
(e.g. MOCKED=true make test
)
This project follows the Google Code of Conduct.