
NATSSL: Just another SSL self hosted CA for your private network
NATSSL (Zero-Configuration Distributed TLS for Private Infrastructure) is a lightweight, open-source utility written in Go (93.2%). The project is a tool for deploying your own trusted Root Certificate Authority (Root CA) inside isolated or private networks without relying on the cloud or third-party services.
🛠️ Key Capabilities
The project is split into two logical roles packaged within a single executable file (Single Binary)
Master Mode (Master / CA)
Root Certificate Generation: Automatically creates a Root CA with a 10-year validity period.
Administrative Issuance: Allows the administrator to issue certificates (valid for 1 year) via CLI for any internal domains (.local, .internal), IP addresses, and Wildcard domains (*.internal).
Revocation Management: Supports certificate revocation by serial number and synchronization of the Certificate Revocation List (CRL) with clients.
Local Database: Uses an embedded SQLite database (compiled without CGO) to track issued certificates.
Client Mode (Client)
Automatic Integration: Upon startup, it independently installs the Root CA certificate into the trusted trust stores of the operating system and the Firefox browser.
Auto-Registration: Automatically sends a request to the master server to obtain its own mTLS identification.
Local Certificates: The client can independently request and renew certificates for localhost / 127.0.0.1 via a CSR (Certificate Signing Request) workflow.
Fault Tolerance (ReadOnly): If the master server becomes unavailable, the client continues to operate in "read-only" mode using cached data.
🔄 Disaster Recovery
One of the unique features of the project is its disaster recovery scheme based on blockchain standards:
During initialization (--bootstrap), the master generates a 24-word mnemonic seed phrase (BIP-39 seed phrase).
The master's private key is never written to the disk in plaintext.
In the event that the master server is destroyed, any client node can be "promoted to master" using the --promote-to-master command by entering the 24 words. The root certificate will be restored byte-for-byte (with the exact same fingerprint). Existing clients will continue to trust the new master without reconfiguration, and the migration event itself is broadcast across the network as a packet signed with the Root CA's ECDSA key.
📦 Deployment
The project offers ready-made configurations for automation:
Ansible roles for deploying binaries and configuration files to multiple hosts with automatic fingerprint forwarding.
Docker / Docker Compose builds for containerized environments.