"Is it safe? ... Unless you install your own CA certificate in the browser or in the root certificate store of whatever other technology you use, they will complain about not being able to validate the certificates. This does not mean they are unsafe, just that they don't know to trust the certificates."
Not being able to trust that you're talking to who you think to are seems like a serious example of "not safe".
Teaching users to click through the warning screen is a serious anti-pattern; the reason browsers keep making it scarier / harder is to try to stop the security theatre that occurs when using untrusted certs.
Instantly clear to me that this is for internal tooling use only.
"For what would I use TinyCert certificates?
Any place you would use (or should have used) self-signed certificates. Don't leave admin panels, such as phpMyAdmin, a CMS or a webmail install without some protection to keep your password from being intercepted. Use them to protect your test and development installations. Use them on your local POP or IMAP servers. Or use them to test your own code involving certificates." - https://www.tinycert.org/faq#use
Untrusted, fraudulent and unsafe are three entirely different things. Just because the browser doesn't trust the certificate does not mean it is unsafe or fraudulent. You as the end user can verify whether the certificate the browser presents is the one you installed yourself and as such whether you're talking to who you think you're talking to.
I can't control what people do with the certificates, but I'm recommending against the use of TinyCert certificates for the public web. When used as intended, only people who have themselves generated and installed the TinyCert certificates (or their associates if so instructed) will see them and click past. Anybody else should get the big scary warning and will hopefully, rightfully, heed it.
Not cool. Private keys generated on their servers and then the idea of inatalling the certs as trusted in your OS/browser is mentioned. Also 1024-bit keys. Is this some kind of test to see who falls for this?
This is not intended to be a substitute for a proper CA, not intended to be used in production. Only for convenience and if you trust yourself and the service, you can install the your root certificate in your browser. If not, then don't. Just like pushing past the security warning, I strongly recommend against the procedure to end users. Only to people who know what they are doing.
I was glad to see this was free, as it's not that difficult to do this in a development environment. That said, as someone that once created an OSS tool used by tens of thousands of developers - and had one single donation sent my way - I'll probably donate to the developers.
It's great utilities like this that can help introduce you as a developer in a crowded community.
I believe in karma - put something out there for others and it will come back in droves. So, really cool little tool, thank you! And thanks for making it free, I hope Karma treats you well!
It's nice that this service is trying to make it easier, but why should anyone trust tinycert? How can I trust that tinycert won't issue certificates without my concert? Or sell my private keys to others?
The commands really aren't that complicated. You can (and really should) learn how to do this if you need to issue certificates.
As for why to trust it... you won't know to trust me any more than a real CA. With a real CA you also only have their word. I've taken as many steps as I can to ensure that the private keys are not kept unencrypted anywhere where this is not needed (and they are only needed when signing something and when you request a download) and that the passphrase is in flight as short as possible.
While anything is theoretically possible with enough malicious intent, I've made the selling private keys or issuing certificates with your private key without your consent as exceedingly difficult as possible for myself.
This obviously should not be added to the list of trusted CAs in any browser, and these certs should not be used in the public web. Unfortunately, neither should many certificate authorities be trusted.
Just to clarify: there is not 1 root certificate for all of the TinyCert generated certificates. There are root certificates for every single account. I did this intentionally to ensure that nobody would be careless enough to trust such a root and thus implicitly trust every TinyCert certificate everywhere. Basically, only the people who created their own CA through TinyCert have any business installing their root certificates (and only theirs!) into their browsers.
I don't like the idea of not having my development certificates under control. They should be as secure as the production certs in my opinion.
I use PHPKi for that purpose, it's not pretty but easy to setup and it runs in my own environment.
Not being able to trust that you're talking to who you think to are seems like a serious example of "not safe".
Teaching users to click through the warning screen is a serious anti-pattern; the reason browsers keep making it scarier / harder is to try to stop the security theatre that occurs when using untrusted certs.