Skip to content

Clone the CA Template

The repository template we'll be cloning is located here.

For your convenience, the below button will open the New Repository page with the template automatically selected.

Create Template Button

You'll notice that immediately, the included Action Workflow will run and fail. This is due to Pages being configured to deploy from a branch by default instead of Github Actions. This is fine, we'll fix that next.

Configure Settings

In the repository settings, navigate to Code and automation, then click Pages. Next, select the Source drop-down and click Github Actions.

Enable Pages Action

Ensure that Enfore HTTPS is disabled.

Disable Enforce HTTPS

Note

RFC 5280 defines the X.509 standard and how assets are to be distributed.

Both AIA certificate and CDP CRL MUST be DER encoded and accessible from unencrypted HTTP requests. Some PKI implementations (notably Windows' CryptoAPI) strictly adhere to the RFC and will fail if either of these extensions contain HTTPS URIs, though most applications will retrieve them either way.

Not having encryption isn't an issue since certificates and CRLs are cryptographically signed and integrity can be verified independent of the transport methodology.

(Optional) Add CNAME

If you're using a custom domain, create a file named CNAME in the root of the repository.

The Add file button is above the list of files next to the green Code button. If your browser window is narrow, then Add file will be replaced with a + button. The function is the same.

Add new file Add new file small

The contents of the CNAME file should be the URL of your CA on a single line:

CNAME
ca.example.com

Configure Workflow

You'll need to make sure to use the correct cp line for the crt and crl files.

If your crt and crl files are in the root of the repository, then uncomment line 23 as-is.

If you plan to use a subdirectory for your crt and crl, then uncomment line 26 and replace subdirectory with the name of the directory.

If you're using a custom domain and have created the CNAME file, uncomment line 29.

.github/workflows/pages.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow
---
name: Pages
on:
  push:
    branches:
    - master
  workflow_dispatch:
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: wranders/markdown-to-pages-action@v1
      with:
        token: ${{ secrets.GITHUB_TOKEN }}

################################################################################
# Copy files to Pages deploy directory                                         #
################################################################################

    # Copy DER-encoded Certificates and DER-encoded CRLs from repository root
    # - run: cp *.{crl,crt} dist/

    # Copy DER-encoded Certificates and DER-encoded CRLs from subdirectory
    # - run: cp subdirectory/*.{crl,crt} dist/

    # Copy Pages CNAME file to the Pages directory
    # - run: cp CNAME dist/

################################################################################
    - uses: actions/upload-pages-artifact@v3
      with:
        path: dist

  deploy:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      pages: write
      id-token: write
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    steps:
    - uses: actions/deploy-pages@v4
      id: deployment

Edit README

The contents of the README file should be completely replaced. This file will be rendered by the Pages workflow into the index.html of the Pages site.

This could contain links to the crt and crl files, a description of your CA, or whatever you want.

If you want to know what you can do with this file, check out the Action that's used to render it:

wranders/markdown-to-pages-action

Edit LICENSE

The template repository is licensed under MIT No Attribution. This was done so that anyone could use the template and not be required to include a copy of the license or a give me credit in your cloned repository. It also means you're free to license your CA in any way that you see fit, including having no license, making your CA repository proprietary.

Note

If you choose to not include a license and make your repository proprietary, do keep in mind that under the Github Terms of Service, if the repository is public, then anyone on the platform has the right to fork or clone your repository. They would, however, not have the right to make modifications of that copy.

Read the legalese and know your rights.

Next Step

Create and Configure your Github App