For quite a few projects, I use a standard domain for which I have the SSL certs for.
Some of these projects require an SSL certificate to function (maybe for external requirements etc.)
To onboard people to the project, asking them to get a valid SSL certificate can be a pain..
Obviously getting them to create a CA certificate, generate a server cert etc. and adding the CA cert can be a pain.
So my thought was to share a common set of keys that are only used for local development for a non-functioning domain.
But I took this thought a step further... why shouldn't there be (or I create) a service hosted on a real domain, which provides it's own SSL certificate - providing the public and private key to anyone that requests it (e.g. https://mylocaldev.com/public.pem / https://mylocaldev.com/private.pem).
Maybe the certificate could be for a sub-domain of the actual domain, which doesn't host the actual 'site' that provides the certs (e.g. https://mylocaldev.com/certs.pem provides the certs for https://dev.mylocaldev.com)
This way, anyone could obtain the SSL cert, add the domain to their hosts file and use the certs for hosting apps locally.
Obviously, standard points:
* This is a blatant issue for MITM attacks
- But what would they be intercepting.. the public/private key?.. who cares?
- Again, if it's local development, I can't see a difference over hosting local applications without any SSL encryption
On the flip side, am I right in thinking this _would_ solve real-life problems that people face?
Certainly feels easier than using tunneling software that SSL-wraps the traffic (https://github.com/localtunnel/localtunnel) - though obviously this is only a small benefit of using applications like that (i.e. making your local development environment publicly accessible).
The only thing well-known CAs bring is that they work out of the box in browsers/OSs as they act as trusted third parties, but you can add you own CA to your browser/OS if you wish. No sharing of private keys involved.