The main use case brought up is supporting people still on Win XP SP2 (released in August 2004), when the answer should be for them to upgrade to something newer, either OS or browser.
That said, there are probably a lot of embedded systems of similar ancient vintage that may not be easily upgradable. The wisdom of having them internet connected is questionable at best.
It appears that this really works best with CloudFlare's systems - if you're looking to set up your own CA, and want help working through all the openssl commands and configuration files, this is pretty helpful:
We find that Android 2.2 and 2.3 are also relevant platforms that require alternative toolchains. Upgrades are not possible for many of these devices.
As for setting up your CA, openssl's command line interface can be very clunky. CFSSL not only has a clean and simple command line interface, but it has a nice RESTful JSON API for simple integration into web services.
Cert bundling has always been a pain -- people getting intermediate certs wrong, and thus things working in some browsers and not others. I don't think a huge number of people will ever use a tool like this to run their own CA (but that's great that they can), but a lot of admins have to deal with cert bundling.
A lot of enterprises end up with messy CA implementations, and have to deal with bundling their certs, partner certs, and so on. I could see this being useful for them.
This makes good on a promise we made a long ago to release this code and our bundles. Many people on HN have bitched about us not making good on that promise
[+] [-] zdw|11 years ago|reply
That said, there are probably a lot of embedded systems of similar ancient vintage that may not be easily upgradable. The wisdom of having them internet connected is questionable at best.
It appears that this really works best with CloudFlare's systems - if you're looking to set up your own CA, and want help working through all the openssl commands and configuration files, this is pretty helpful:
https://pki-tutorial.readthedocs.org/en/latest/
[+] [-] grittygrease|11 years ago|reply
As for setting up your CA, openssl's command line interface can be very clunky. CFSSL not only has a clean and simple command line interface, but it has a nice RESTful JSON API for simple integration into web services.
[+] [-] rdl|11 years ago|reply
[+] [-] mattzito|11 years ago|reply
[+] [-] jgrahamc|11 years ago|reply
[+] [-] backslash|11 years ago|reply
[+] [-] zdw|11 years ago|reply
[deleted]