Show HN: I rewrote my 2012 self-signed cert generator in Go – cert-depot.com
by dimastopel on 4/2/2026, 12:36:10 PM
Back in 2012 I built <a href="https://cert-depot.com" rel="nofollow">https://cert-depot.com</a> as a weekend project. Node.js + Express + jQuery, shelling out to OpenSSL for certificate generation. It worked but I eventually let it rot. <a href="https://news.ycombinator.com/item?id=4766743">https://news.ycombinator.com/item?id=4766743</a><p>Rewrote it from scratch in Go. The entire thing is a single binary with no external dependencies:<p>1. Certificate generation uses Go's crypto/x509 (no OpenSSL)<p>2. Certificates are generated in memory and streamed directly — nothing is stored on the server<p>3. RSA 2048/4096 and ECDSA P-256/P-384<p>4. Subject Alternative Names (required by browsers since Chrome 58)<p>5. ZIP (PEM files) or PFX/PKCS#12 output<p>You comments / suggestions / bug reports are very welcome. Thanks.<p>Source: <a href="https://github.com/dimastopel/certdepot" rel="nofollow">https://github.com/dimastopel/certdepot</a>
Comments
by: toddgardner
Nice rewrite. The SAN support is the right call, a lot of older generators trip on that.<p>One thing worth knowing if you're using this for internal services: generating the cert is the easy part. Getting the CA cert into the trust stores of everything that needs to trust it is where self-signed deployments usually turn into a maintenance problem, especially across a mix of Linux servers, Windows machines, and Java apps with their own keystores.
4/2/2026, 7:19:39 PM