DEV Community

rocketsquirreldev
rocketsquirreldev

Posted on

Stop Building X.509 Chains Manually: 1-Click Presets for TLS & Code Signing (x509Lab v1.7.0)

#webdev #security #cryptography #indiehackers

Hey everyone, RocketSquirrel here! 🐿️ By day, I'm an embedded software developer, and by night, I build side projects.

I'm the creator of x509Lab, a purely client-side browser tool for visualizing and generating X.509 certificate chains. Today, I'm pushing the v1.7.0 update, and it solves the most annoying part of testing PKI infrastructure: node-by-node manual setup.

The Problem: Remembering RFC 5280

If you wanted to build a simple TLS server chain in the previous version, you had to:

  1. Add a Root CA node.
  2. Add an Intermediate CA node.
  3. Add a Leaf node.
  4. Manually link them all together.
  5. Figure out which Key Usage and Extended Key Usage (EKU) extensions to apply (keyEncipherment? serverAuth?).

It was tedious.

The Solution: 1-Click Chain Presets

I've completely automated this process. You can now click the 📦 Chain Presets button in the sidebar and choose from three ready-to-use architectures.

Preset Chain Structure Key Usage EKU
🌐 TLS Server Root → Intermediate → Server digitalSignature, keyEncipherment serverAuth
📦 Code Signing Root → Signing CA → Code Cert digitalSignature codeSigning
✉️ S/MIME Root → Email Cert digitalSignature, keyEncipherment emailProtection

The app also automatically selects the modern recommended algorithms for you (e.g., ECDSA P-256 for TLS, and RSA-2048 for Code Signing).

How it works under the hood (Web Crypto API)

To make this work, I had to rewrite my internal buildTBSCertificate() function.

Previously, it only handled the BasicConstraints extension (to flag CA:TRUE). Now, it accepts keyUsageBits and ekuOids arrays, dynamically applying strict DER encoding to inject the correct extensions into the generated certificates based on the selected preset.

And as always, zero data leaves your browser. Everything is computed locally using the Web Crypto API. No backend, no OpenSSL installation required.

🔗 Try it live in your browser: https://x509lab.vercel.app

If you are a DevOps engineer or just studying PKI, I hope this saves you some headache! Let me know what you think.

Top comments (0)