minica icon indicating copy to clipboard operation
minica copied to clipboard

Published 20 hours ago verified publisher icon jsha

Use ~/.minica/ by default

Open powerman opened this issue 7 years ago • 7 comments

I suppose main use case for minica is to enable developing projects on local workstation. This means we'll have just one CA key imported into all local browsers, and per-project certificates. Not sure about best default place to store per-project certificates (it may make sense to keep them in project's dir), but CA key by default should always be the same. Needs to cd into some specific directory before running minica is very inconvenient, please make it use ~/.minica/ for CA key by default and add an option to change this directory, so minica -ca-dir . can be used to emulate current behaviour.

As for site certificates, I suppose it makes sense to do the same: use ~/.minica/site/ by default and add an option -out-dir and/or two options -out-cert and -out-key to make it easier to control where project certificate will be stored.

powerman avatar Apr 09 '18 13:04 powerman

Hi there @powerman, I just learned about this project and was curious about what issues are open. Just a thought, as a workaround for this you could invoke it in a Bash subshell (the parens) that first changes to that directory:

$ (cd ~/.minica && minica example.com)

tedb avatar Jul 04 '18 19:07 tedb

I left the minica generated files in a folder outside my project and created symlinks to the project files from the root of my project. I use Git so I added the file names to .gitignore.

logicalphase avatar Aug 03 '18 06:08 logicalphase

I've been thinking about this issue. I think of minica as having two purposes:

  1. Certificates for local development
  2. Certificates for RPCs, or test harnesses, or general internal-only services that don't need an external CA.

I think (1) is probably now satisfied better by https://github.com/FiloSottile/mkcert (though I haven't tried it myself). The advantage of mkcert is that it knows how to add its root to local trust stores automatically.

For (2), I think it makes more sense to write in the current directory, rather than always to a dotfile directory in the user's home. The reason is that each project or use case should probably have its own CA. If we default to putting things in people's homedir, I think that encourages reusing the same CA across multiple projects, which increases the risk of mistakes.

What do you think?

jsha avatar Sep 05 '18 17:09 jsha

@powerman I'll echo Jacob and say mkcert is probably a better fit for you. The auto install into chrome/firefox is super nice.

adamdecaf avatar Sep 05 '18 17:09 adamdecaf

Well, for now I've switched back to using EasyRSA and wrote How to securely test local/staging HTTPS project. I don't really think auto install is a critical feature because it has to be done just once by each developer, but, sure, it's nice to have.

powerman avatar Sep 05 '18 18:09 powerman

The current behavior is simple and predictable. Ask any average windows dev what a dot folder is. They'll go "huh?". Besides - a cert is not a config file, which is what dot files are for.

tox2ik avatar Oct 22 '18 08:10 tox2ik

related #65

sdavids avatar Oct 30 '23 19:10 sdavids