🔐 The OpenAuthority Project

User-controlled Certificate Authority Trust Store

📤 Upload Root CA Certificate

Requirements

  • Certificate must be a Root CA (Basic Constraints: CA=true)
  • Certificate must have Name Constraints extension
  • For each DNS name in constraints, publish a TXT record:
    _openauthority.yourdomain.com TXT "openauthority-ca-sha512=<hash>"
  • For IP constraints, add the hash to your WHOIS/RDAP remarks
  • New certificates enter a 7-day probationary period with enhanced verification
; Example DNS TXT record
_openauthority.example.com. IN TXT "openauthority-ca-sha512=abc123..."

📁 Drop your CA certificate here or click to browse

Accepts PEM or DER format (.pem, .crt, .cer, .der)


📜 Verified Certificate Authorities

Probationary certificates are verified every 6 hours for 7 days before becoming fully active.

Loading...

📋 Verification Audit Log

Loading...

⬇️ Export Trust Store

Download all verified CA certificates to import into your OS trust store.

⚠️ Only fully active certificates are included in exports. Probationary certificates are excluded.


📦 Download PEM Bundle 📄 Download JSON

Import Instructions

macOS:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain openauthority-trust-store.pem

Linux (Debian/Ubuntu):

sudo cp openauthority-trust-store.pem /usr/local/share/ca-certificates/openauthority.crt
sudo update-ca-certificates

Windows (PowerShell as Admin):

Import-Certificate -FilePath openauthority-trust-store.pem -CertStoreLocation Cert:\LocalMachine\Root