Documenting CA certificates setup for hetty

[tcarrio]

• Provides more accessible instructions on CA certificates
• New sections provided for "Certificate Setup and Installation"
• Configuring certificates for hetty using defaults and direct CLI
  arguments
• Trusting CA certificates on Windows, macOS, and Ubuntu
• Mention for additional Linux distros not covered by Ubuntu

Ref: #12

[tcarrio]

I just went through this process myself getting a local dev environment up and saw the note in the README, so I figured I would include some documentation.

This was only tested on Linux, but I included instructions for Ubuntu, macOS, and Windows by referencing various guides. I hope they're helpful 👍

[dstotijn]

Thanks for taking the effort @tcarrio! Left a few comments, but in general I think this is a good start. We'll probably refactor the certificate instructions into a separate docs site, but for now I think the README is the best place.

[elithrar]

You should consider building on, or using, mkcert: https://github.com/FiloSottile/mkcert

It automates the installation of the CA on major OS’ and is well-tested.

[tcarrio]

All of the comments look valid. I'll be applying all of them, which I can't seem to batch as a single commit in the GitHub UI. I will apply the updates and push again next chance.

[tcarrio]

This has been updated according to review. Please let me know what else may need updating 👍

[Lawri-van-Buel]

You should consider building on, or using, mkcert: https://github.com/FiloSottile/mkcert

It automates the installation of the CA on major OS’ and is well-tested.
I successfully used the rot certs from mkcert as the source CA file for Hetty.

I also completely agree that we should employ the concept of doing 1 thing, but doing it really good. makign / managing a CA should be out of scope for Hetty... but it could include instructions / inclusion of mkcert for that purpose.

As to the instructions using mkcert: github.com/FiloSottile/mkcert

1. First either install the golang build environmnet from golang.org or skip to step 4
2. Get a local checkout of the source from https://github.com/FiloSottile/mkcert.git make sure you have a taged version of the code by checking out a taged release (get the list of tags with git tag -l and than use the latest tag with git checkout <tagname>. if you are not changing the code tyourself you can ignore the detached message, otherwise add a branch with the -b <branch name> added to the last command.
3. Build mkcert using the following set of instructions. go mod vendor and go build -ldflags "-X main.Version=$(git describe --tags)". This will yield the executable of mkcert for your system.
4. the mkcert will need to generate its CA files before it can generate any other certs, if you execute it likw mkcert -install will both generate the CA certificate & key and install it into all relevant (local) certificate stores (the one form your OS, the one from firefox, etc).
5. after that you can get the location of the Certificates file with mkcert -CAROOT it will return the directory where mkcert installed the certificates, you can COPY those into the hetty config as the CAcert and CAkey files.

I hope that helps, and if you like I am willign to also add it to the readme in a PR (after this one is accepted).

[RiRa12621]

I wonder if this should be native markdown :warning: instead of an embedded emoji

[RiRa12621]

LGTM since i'm not super opinionated about the emoji i mentioned.
Squash and then it's good to go IMHO.
However I'd hold of with squashing until you got LGTM from @dstotijn

[dstotijn]

I also completely agree that we should employ the concept of doing 1 thing, but doing it really good. makign / managing a CA should be out of scope for Hetty... but it could include instructions / inclusion of mkcert for that purpose.

(...)

I hope that helps, and if you like I am willign to also add it to the readme in a PR (after this one is accepted).

@Lawri-van-Buel: I think the way forward is to use mkcert as a library (import/dependency) in Hetty, at least for installing a CA in a system/browser CA store. That way we can leverage mkcert's features for CA management without introducing a lot (arguably non-core) code in Hetty. The alternative of instructing users to manually download/use mkcert to generate a keypair and install it is a bit of a degraded user experience; especially the generating of the keypair should remain a feature of Hetty itself, just like mitmproxy, Burp Suite and OWASP ZAP have this.

For now, generating the CA keypair ourselves and instructing users to install to their system/browser CA store is fine, and leading up to an eventual v1.0 release we can work on embedding mkcert. I'll create a separate issue for this in due time, but if you want to work on it already or discuss/how to do it, that'd be much appreciated! Probably discussions would be the best place.

[dstotijn]

LGTM! 👍