OpenAuthority

User-Controlled Certificate Authority Trust Store

Take Back Control of Your Certificate Trust

OpenAuthority is a community-driven trust store that puts certificate authority control back in your hands. Run your own CA, set your own certificate lifetimes, and join a transparent ecosystem built on cryptographic proof.

The Problem with Today's CA System

The current certificate ecosystem is controlled by a handful of authorities.

Shrinking Certificate Lifetimes

Let's Encrypt certificates last only 90 days. The CA/Browser Forum is pushing to reduce all public certificates to just 47 days by 2029.

Centralized Control

A small group of CAs and browser vendors decide what certificates you can trust.

CT Log Exposure

Certificate Transparency logs expose every certificate publicly. Attackers monitor these to discover new hosts.

How OpenAuthority Works

A transparent, verifiable system where domain owners prove they control their CA.

Create Your Root CA with Name Constraints

Generate a root CA certificate that includes Name Constraints—limiting which domains it can sign for.

Prove Domain Ownership via DNS

Publish a TXT record containing your CA's SHA-512 fingerprint at _openauthority.yourdomain.com.

Pass the 7-Day Probationary Period

Your CA enters a probationary period where we verify the DNS record every 6 hours for 7 days.

Join the Trust Store

Once verified, your CA is included in the OpenAuthority trust store for anyone to download.

Who Is This For?

Homelabbers & Self-Hosters

Run your own CA for your homelab without browser warnings.

Enterprises & Organizations

Full control over your internal PKI. No more relying on external CAs.

CA Service Providers

Build a business offering hosted CA services.

Upload Root CA Certificate

Add a new certificate authority to the trust store

Requirements

Certificate must be a Root CA (Basic Constraints: CA=true)
Certificate must have Name Constraints extension
For each DNS name, publish: _openauthority.yourdomain.com TXT "openauthority-ca-sha512=<fingerprint>"
New certificates enter a 7-day probationary period

; Example DNS TXT record
_openauthority.example.com. IN TXT "openauthority-ca-sha512=abc123..."

Verified Certificate Authorities

Probationary CAs are verified every 6 hours. Active CAs are verified every 24 hours.

Loading certificates...

Verification Audit Log

Complete history of all verification checks. Logs are cryptographically signed for integrity verification.

Export JSON Export CSV

Loading audit log...

Export Trust Store

Download all verified CA certificates. Only fully active certificates are included.

Download Formats

Choose the format that works best for your platform

Configuration Profile

.mobileconfig for iOS & macOS

ZIP Archive

Individual .crt files

PEM Bundle

Concatenated PEM for servers

JSON

For developers & automation

Installation Instructions

Select your platform

iOS & macOS Installation

Download the .mobileconfig profile.

Download the profile using Safari
Go to Settings → General → VPN & Device Management and install
iOS only: Enable trust in Settings → General → About → Certificate Trust Settings

Android Installation

Download the ZIP archive and install each certificate:

Extract the ZIP file
For each .crt: Settings → Security → Install certificates → CA certificate

⚠️ Note

User-installed certificates may not be trusted by all apps due to Android 7+ security policies.

Windows Installation

Download the ZIP archive:

Extract the ZIP
For each .crt: Double-click → Install Certificate → Local Machine → Trusted Root CAs

PowerShell (Admin):

Get-ChildItem *.crt | ForEach-Object { Import-Certificate -FilePath $_.FullName -CertStoreLocation Cert:\LocalMachine\Root }

Linux Installation

Debian/Ubuntu:

sudo cp openauthority-trust-store.pem /usr/local/share/ca-certificates/openauthority.crt
sudo update-ca-certificates

Fedora/RHEL:

sudo cp openauthority-trust-store.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Frequently Asked Questions

Everything you need to know about OpenAuthority

OpenAuthority is a community-driven certificate authority trust store that allows anyone to run their own CA and have it trusted by others, using cryptographic proof (DNS verification) rather than expensive audits.

Name Constraints are an X.509 extension that limits which domains a CA can issue certificates for. We require them so your CA can only sign for domains you control.

Publish a DNS TXT record at _openauthority.yourdomain.com containing openauthority-ca-sha512=<fingerprint>. This proves you control the domain.

The probationary period prevents attackers from briefly hijacking DNS to inject malicious CAs. We verify every 6 hours for 7 days.

Active CAs are verified every 24 hours. Remove the DNS TXT record to revoke your CA.

Simply remove the DNS TXT record. At the next verification check, your CA will be automatically revoked.

You're in complete control—1 year, 5 years, 10 years, whatever makes sense for your use case.

Each audit log entry contains a cryptographic hash that includes the previous entry's hash, creating a verifiable chain. Any modification breaks the chain and is immediately detectable.