Private Certificate Authority as a Tor Hidden Service

Let's Encrypt and other public CAs do not issue certificates for .onion domains because they require public DNS verification (the domain must be resolvable via public DNS, which .onion domains are not). This means .onion services cannot use publicly trusted TLS certificates - they must use either self-signed certificates or certificates from a private CA trusted by the clients. Using a private CA (rather than self-signed certificates per service) provides several advantages: (1) clients trust the CA root certificate and automatically trust all certificates issued by it, (2) certificate revocation: the CA can revoke a certificate if a service is compromised, (3) certificate lifecycle management: the CA issues certificates with defined expiration dates and provides renewal workflows, (4) organization-wide trust policy: all internal services use certificates from the same trust root, simplifying client configuration.

step-ca is a modern private CA from Smallstep that supports ACME protocol (the same protocol used by Let's Encrypt). Install via the official binary or package: wget https://dl.smallstep.com/gh-release/certificates/latest/step-ca_linux_amd64.tar.gz. Initialize the CA: step ca init --name 'Private Tor CA' --provisioner admin@yourorg --address 127.0.0.1:9000. Configure Tor: HiddenServicePort 9000 127.0.0.1:9000. The CA's ACME endpoint is accessible via .onion. Client configuration: install the step CLI on each client, import the CA root certificate (step certificate install ), and configure ACME clients to use the .onion ACME endpoint. ACME client certbot can be configured with --server http://youraddress.onion:9000/acme/acme/directory to request certificates from your .onion CA.

Using the CA to issue certificates for .onion services: (1) on the server running the .onion service, install step CLI, (2) configure the step CLI to trust your .onion CA: step ca bootstrap --ca-url http://yourca.onion:9000 --fingerprint , (3) request a certificate for the .onion service: step ca certificate yourservice.onion /etc/tls/cert.pem /etc/tls/key.pem, (4) configure the web server (Nginx, Caddy) to use the issued certificate for the .onion virtual host. Clients connecting to the .onion service need the CA root certificate installed in their trust store (or their browser). For Tor Browser: import the CA root certificate via browser settings. For clients using the system trust store: install the CA root in the OS certificate store.

CFSSL (Cloudflare's PKI/TLS toolkit) is suited for high-volume certificate issuance in programmatic environments. It provides a JSON API for certificate signing, making it easy to integrate certificate issuance into automation workflows. Deploy CFSSL: download the cfssl and cfssljson binaries, generate a CA configuration (ca-config.json) with profiles for different certificate lifetimes, generate the CA root certificate (cfssl gencert -initca ca-csr.json | cfssljson -bare ca), start the CFSSL API server: cfssl serve -address 127.0.0.1 -port 8888 -ca ca.pem -ca-key ca-key.pem -config ca-config.json. Configure Tor: HiddenServicePort 8888 127.0.0.1:8888. Automation scripts request certificates via HTTP POST to the CFSSL API over Tor using torsocks curl.

CA private key protection is critical: compromise of the CA key allows issuing fraudulent certificates trusted by all clients. Security measures: (1) store the CA private key encrypted at rest (PKCS#12 with strong passphrase, or use hardware security module if budget allows), (2) restrict access to the CA server - use Tor v3 client authorization so only authorized administrators can access the CA management interface, (3) enable CA audit logging for all certificate issuance and revocation events, (4) configure certificate validity periods appropriate to your risk model: shorter lifetimes (90 days) reduce the window for compromised certificate abuse, (5) implement CRL (Certificate Revocation List) or OCSP for certificate revocation, accessible as a .onion URL, (6) back up the CA private key encrypted and stored separately from the CA server. The CA is the most security-sensitive component of your .onion PKI infrastructure.