OpenAuthority

User-Controlled Certificate Authority Trust Store

Every CA Constrained. Every Domain Verified.

OpenAuthority is a trust store where every certificate authority is limited to its own domains. No unconstrained roots. No unlimited signing power. Just certificates for the domains you actually control—verified through DNS and monitored continuously.

Why This Is Safe

A fundamentally different approach to certificate trust.

Mandatory Name Constraints

Every CA must have name constraints. A CA for example.com can only sign certificates for example.com and its subdomains. Unconstrained roots are prohibited.

Continuous Verification

CAs aren't verified once—they're checked continuously. Probationary CAs every 6 hours, active CAs every 24 hours. Remove your DNS record and your CA is automatically revoked.

Limited Blast Radius

Even if a CA is compromised, attackers can only issue certificates for domains in that CA's constraints—not for any domain on the internet.

The Problem with Today's CA System

The current certificate ecosystem is controlled by a handful of authorities.

Shrinking Certificate Lifetimes

Let's Encrypt certificates last only 90 days. The CA/Browser Forum is pushing to reduce all public certificates to just 47 days by 2029.

Centralized Control

A small group of CAs and browser vendors control which certificates your devices trust. You have no say in the matter.

The CT Log Illusion

Certificate Transparency is presented as comprehensive monitoring, but not all CAs participate. Your certificates are exposed publicly while malicious certificates may go unlogged—a false sense of security.

How OpenAuthority Works

A transparent, verifiable system where domain owners prove they control their CA.

1

Create Your Root CA with Name Constraints

Generate a root CA certificate that includes Name Constraints—limiting which domains it can sign for. This is mandatory.

2

Prove Domain Ownership via DNS

Publish a TXT record containing your CA's SHA-512 fingerprint at _openauthority.yourdomain.com.

3

Pass the 7-Day Probationary Period

Your CA enters a probationary period where we verify the DNS record every 6 hours for 7 days.

4

Join the Trust Store

Once verified, your CA is included in the OpenAuthority trust store for anyone to download.

Who Is This For?

Homelabbers & Self-Hosters

Run your own CA for your homelab without browser warnings.

Enterprises & Organizations

Full control over your internal PKI with custom certificate lifetimes. No more relying on external CAs.

CA Service Providers

Build a business offering hosted CA services with verifiable trust.

Upload Root CA Certificate

Add a new certificate authority to the trust store

Requirements
  • Certificate must be a Root CA (Basic Constraints: CA=true)
  • Certificate must have Name Constraints extension (unconstrained CAs are rejected)
  • For each DNS name, publish: _openauthority.yourdomain.com TXT "openauthority-ca-sha512=<fingerprint>"
  • New certificates enter a 7-day probationary period
; Example DNS TXT record
_openauthority.example.com. IN TXT "openauthority-ca-sha512=abc123..."

Drop your CA certificate here

or click to browse • PEM or DER format


Verified Certificate Authorities

Probationary CAs are verified every 6 hours. Active CAs are verified every 24 hours.

Loading certificates...

Verification Audit Log

Complete history of all verification checks. Logs are cryptographically signed for integrity verification.

Export JSON Export CSV
Loading audit log...

Export Trust Store

Download all verified CA certificates. Only fully active certificates are included.

Download Formats

Choose the format that works best for your platform

Installation Instructions

Select your platform

iOS & macOS Installation

Download the .mobileconfig profile.

  1. Download the profile using Safari
  2. Go to Settings → General → VPN & Device Management and install
  3. iOS only: Enable trust in Settings → General → About → Certificate Trust Settings

⚠️ Important Limitation

Since Android 7, user-installed CA certificates are not trusted by most apps by default. Only apps that explicitly opt-in (via networkSecurityConfig) will trust these certificates. System apps, Chrome, and most third-party apps will not trust user-installed CAs.

What works: Your own apps (if configured), some browsers like Firefox, apps you control.
What doesn't: Chrome, system WebView, most third-party apps.

Android Installation

Download the ZIP archive and install each certificate:

  1. Extract the ZIP file
  2. For each .crt: Settings → Security → Install certificates → CA certificate
Windows Installation

Download the ZIP archive:

  1. Extract the ZIP
  2. For each .crt: Double-click → Install Certificate → Local Machine → Trusted Root CAs

PowerShell (Admin):

Get-ChildItem *.crt | ForEach-Object { Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root }
Linux Installation

Debian/Ubuntu:

sudo cp openauthority-trust-store.pem /usr/local/share/ca-certificates/openauthority.crt
sudo update-ca-certificates

Fedora/RHEL:

sudo cp openauthority-trust-store.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Frequently Asked Questions

Everything you need to know about OpenAuthority

OpenAuthority is a community-driven certificate authority trust store that allows anyone to run their own CA and have it trusted by others, using cryptographic proof (DNS verification) rather than expensive audits. Every CA must have name constraints, limiting it to only sign certificates for domains the operator controls.
Name Constraints are an X.509 extension that limits which domains a CA can issue certificates for. We require them so your CA can only sign for domains you control. This is the key security feature that makes OpenAuthority safe—even if a CA is compromised, it cannot issue certificates for domains outside its constraints. Unconstrained CAs are rejected.
Publish a DNS TXT record at _openauthority.yourdomain.com containing openauthority-ca-sha512=<fingerprint>. This proves you control the domain. The record must remain in place for your CA to stay in the trust store.
The probationary period prevents attackers from briefly hijacking DNS to inject malicious CAs. We verify every 6 hours for 7 days (28 successful checks) before a CA becomes fully active.
Active CAs are verified every 24 hours. Probationary CAs are verified every 6 hours. Remove the DNS TXT record to revoke your CA.
Simply remove the DNS TXT record. Your CA will be automatically revoked at the next verification check—within 24 hours for active CAs, or within 6 hours for probationary CAs. The revocation will appear in the audit log.
You're in complete control—1 year, 5 years, 10 years, whatever makes sense for your use case. No more 90-day renewals unless you want them.
Each audit log entry contains a cryptographic hash that includes the previous entry's hash, creating a verifiable chain. Any modification breaks the chain and is immediately detectable.

By using OpenAuthority, you agree that:

  • No warranty: This service is provided "as-is" without guarantees of availability or fitness for any purpose.
  • Your responsibility: You are responsible for the security of your CA's private key and the certificates you issue.
  • Accurate information: CAs submitted must have valid name constraints matching domains you control.
  • Removal: We reserve the right to remove any CA that fails verification or violates these terms.

CaramelFox Networks LLC is not liable for any damages arising from use of this service.

About OpenAuthority

Transparency about who we are and how this works.

Operator

OpenAuthority is maintained by CaramelFox Networks LLC, a registered LLC in the State of New York.

Infrastructure

  • Hosted entirely on Cloudflare (Pages + Service Workers)
  • DNS verification queries run through our DNS-over-HTTPS server
  • No user accounts, no authentication system to compromise

Funding

OpenAuthority currently operates at zero cost using Cloudflare's free tier. The only expense is annual domain renewal.

No venture capital. No ads. No data sales. No premium tiers.

Security Model

OpenAuthority is designed with security as a core principle:

  • Mandatory name constraints: Every CA is limited to specific domains. Unconstrained CAs are rejected. Even if a CA is compromised, it cannot issue certificates for domains outside its constraints.
  • Continuous verification: CAs are re-verified every 6-24 hours. Remove your DNS record and your CA is automatically revoked.
  • Minimal attack surface: No user accounts, no passwords, no database of personal information. Infrastructure runs on Cloudflare's edge network.
  • Full audit trail: Every verification check is logged with cryptographic integrity verification.

Privacy

OpenAuthority doesn't have user accounts and doesn't collect personal information.

What we store:

  • Uploaded CA certificates (public data)
  • Associated domain names (from name constraints)
  • Verification status and timestamps

What we don't store:

  • Email addresses
  • IP addresses
  • Usage analytics
  • Any personally identifiable information

Cloudflare, as our infrastructure provider, may collect standard web traffic data per their privacy policy.

Contact

Join our community on Discord for questions, feedback, or support:

Join Discord