Adding my thanks and appreciation!
For several years, I maintained a registry of assigned names and numbers for a software development organization: mostly OID’s and SNMP MIB’s. At one point, I prototyped an internal CA and published certificates as well. The registry structure followed Maven/Ivy conventions so that build/integration systems could download these artifacts. I followed this tutorial to set up the CA.
Jamie’s tutorial covers certificate generation but not so much about publication. Similarly, the aspects of provisioning servers and clients are not covered so much. I ran into the sort of problems you find in the comments such as how to bundle up a certificate chain and key for a given server.
I’ve published two GitHub projects covering:
A prototype web site and registry to make certificates generated by a CA publicly available: ranger6/xanna
A set of tools (mostly bash scripts) to standardize and simplify the publication of certificates, generate certificate bundles, etc.: ranger6/ca. This project includes an example workflow of setting up the CA with signing certificates, generating server certificates, publishing to a registry, and fetching certificates/bundles to provision servers. A good part of the workflow (the upstream part) is simply following Jamie’s tutorial.
Advise on all the provisioning gotcha’s are not covered. I mostly played around with Caddy (caddyserver.com).
Everything is free for the taking (MIT License). Comments and pull requests accepted!