DEV Community

rocketsquirreldev
rocketsquirreldev

Posted on

[x509Lab]Sign new Leaf certificates with your existing Root CA directly in the browser (x509Lab v1.3.0)

#webdev #security #tools #indiehackers

Hey everyone. I'm building x509Lab, a purely client-side web tool for visualizing and generating certificate chains. I usually work on this late at night after putting my kid to sleep, so I try to focus on fixing real annoyances I face during my day job.

A huge pain point in the previous version was that whenever you hit the Generate button, the app would blindly generate brand new keys and certificates for the entire tree.

But what if you already have a Root CA and an Intermediate CA, and you just want to generate a new Leaf certificate signed by that existing Intermediate CA?

With the new v1.3.0 update, you can finally do exactly that.

How to use the selective signing feature

The workflow is designed to be as frictionless as possible.

  1. First, build your tree on the canvas (e.g., Root -> Intermediate -> Leaf).
  2. Second, upload your existing certificate PEM files to the Root and Intermediate nodes.
  3. Third, you will notice a new [+ Add Key] button appears on nodes that have a certificate loaded. Click it to provide the matching Private Key.

  1. Finally, hit Generate Certs.

The app will now recognize that the upper nodes already have their cryptographic material. It will skip generating them and only generate the new Leaf certificate, automatically signing it using the Intermediate CA's private key you provided.

Visual status in the generation modal

To prevent confusion when dealing with larger chains, the Generate modal now uses a simple color-coded status system:

  • 🟢 Green: The node has both a certificate and a private key. It will be skipped during generation but used for signing downstream.
  • 🟡 Yellow: The node has a certificate but is missing a private key. You need to add it if you want it to sign the nodes below it.
  • ⚪ Default/Gray: No certificate exists. The app will generate a fresh one.

You can even add the missing private keys directly from inside the modal if you see a yellow warning, saving you a few clicks.

A quick note on security

I know that pasting a Private Key into a web browser sounds like a terrible idea for any security or infra engineer.

Please rest assured that x509Lab is a 100% client-side application. There is no backend server. Your private keys never leave your machine; they are only stored temporarily in your browser's memory to perform the Web Crypto API signing operations and are completely wiped the moment you close or refresh the tab.

🔗 You can try it out for free here: https://x509lab.vercel.app

If this helps you debug your mTLS setups or saves you from digging through OpenSSL man pages, let me know. Feedback and feature requests are always welcome in the comments.

Top comments (0)