> On Jan 22, 2018, at 10:06 AM, Danny Horne <da...@trisect.uk> wrote: > > Private CA sounds interesting, will have to read up about it
You can get away with a lot less complexity than the usual OpenSSL CA. See, for example: https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh which creates certificates via "openssl x509 -req" without all the overhead of a stateful CA. What you'd do differently is password-protect the CA key, and perhaps issue certificates with a somewhat shorter lifetime than the 100 years in that script. -- Viktor.
