🔒 Android SMS Gateway CA

Private Certificate Authority for Secure Local Communications
Explore the API docs »

Report Bug · Request Feature

• 📖 About The Project
  • 🛠️ Built With
• 🚀 Getting Started
  • Prerequisites
  • Installation
• 💻 Usage
  • Method Comparison
  • CLI Method
  • API Method
• ⚠️ Limitations
• 🚨 Migration Guide
• ❓ FAQ
• 🤝 Contributing
• 📄 License

📖 About The Project

This private Certificate Authority simplifies secure communications within local networks while maintaining security standards. By operating its own Certificate Authority (CA), the project eliminates common security pitfalls associated with self-signed certificates and manual certificate management.

Important Security Value Proposition

• 🌍 Solves private IP validation - Public CAs cannot validate private IP addresses
• ⚠️ Reduces security risks - Eliminates manual certificate installation on client devices

The CA enforces strict security boundaries through multiple layers:

1. Private IP Enforcement - All issued certificates validated against RFC 1918 address ranges
2. Key Management - CA private key loaded securely (PEM/PKCS#8); certificates parsed using x509
3. Request Validation - CSRs validated to ensure SAN entries are private IPs (RFC 1918)

🛠️ Built With

• 
• 
• 

(back to top)

🚀 Getting Started

Prerequisites

• Go 1.24.1+ (for building from source)
• Docker (optional, for containerized deployment)
• OpenSSL (for manual key/CSR generation)
• curl and jq (for API examples)

Installation

You don't need to install the CA locally to use it. You can use the API or the CLI to issue a certificate with the project's CA at ca.sms-gate.app.

(back to top)

💻 Usage

Method Comparison

Feature	CLI Method 🖥️	API Method 🌐
Difficulty	⭐ Easy	⭐⭐ Medium
Customization	❌ No	✅ Available
Automation	✅ Full	❌ Manual
Recommended For	Most users ✅	CI/CD pipelines 🤖

CLI Method

You can use the SMSGate CLI to issue a certificate.

1. 📥 Generate Certificate

   # Generate webhook certificate
   ./smsgate-ca webhooks --out=server.crt --keyout=server.key 192.168.1.10

2. 🔐 Install Certificates

   # Nginx example
   ssl_certificate /path/to/server.crt;
   ssl_certificate_key /path/to/server.key;

API Method

1. 🔑 Generate Key Pair

   openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key

2. 📝 Create Config

   # server.cnf
   [req]
   distinguished_name = req_distinguished_name
   x509_extensions = v3_req
   prompt = no
   
   [req_distinguished_name]
   CN = 192.168.1.10  # replace with your private IP
   
   [v3_req]
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth
   subjectAltName = @alt_names
   
   [alt_names]
   IP.0 = 192.168.1.10

3. 📋 Generate CSR

   openssl req -new -key server.key -out server.csr -extensions v3_req \
     -config ./server.cnf

4. 📨 Submit CSR

   jq -Rs '{content: .}' < server.csr | \
   curl -sSf -X POST \
     -H "Content-Type: application/json" \
     -d @- \
     https://ca.sms-gate.app/api/v1/csr

   You will receive a Request ID in the response.

5. 🕒 Check Status

   curl https://ca.sms-gate.app/api/v1/csr/REQ_12345 # replace with your Request ID

6. 📥 Save Certificate
   When the request is approved, the certificate content will be provided in the certificate field of the response. Save the certificate content to the file server.crt.

7. 🔐 Install Certificate
   Install the server.crt and server.key (from step 1) files to your server.

Full API documentation is available here.

(back to top)

⚠️ Limitations

The Certificate Authority service has the following limitations:

• 🔐 Only issues certificates for private IP ranges:

  10.0.0.0/8
  172.16.0.0/12
  192.168.0.0/16
  

• ⏳ Certificate validity: 1 year
• 📛 Maximum 1 POST request per minute

(back to top)

🚨 Migration Guide

Self-signed certificates will be deprecated after v2.0 release. It is recommended to use the project's CA instead.

Migration checklist:

• Replace self-signed certs before v2.0 release
• Update automation scripts to use CLI tool or API
• Rotate certificates every 1 year

(back to top)

❓ FAQ

Why don't I need to install CA on devices?
The root CA certificate is embedded in the SMSGate app (v1.31+).
Note: other clients (browsers, third‑party services) that do not embed this CA will not trust these certificates unless you install the CA in their trust store.

Certificate issuance failed?
Ensure your IP matches private ranges and hasn't exceeded quota

(back to top)

🤝 Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

(back to top)

📄 License

Distributed under the Apache-2.0 License. See LICENSE for more information.

(back to top)