These certificates are self-signed and supposed to be used for development.
The project is extracted from a number of RabbitMQ test suites.
tls-gen generates a self-signed Certificate Authority (CA) certificate
and 2 pairs of keys: client and server, with a single command.
It can also generate a chain of CA certificates.
Use these certificates in development and QA environments. They are self-signed and not intended to be used in production.
Private keys can be generated using RSA as well as ECC.
tls-gen requires
openssl- Python 3.5 or later in
PATHaspython3(older versions are not supported) make
Certificate authorities (CAs) and certificates can form chains. tls-gen provides different "profiles", for example:
- Profile 1: a root CA with leaf certificate/key pairs signed by it
- Profile 2: a root CA with multiple shared intermediary certificates and leaf pairs signed by the intermediaries
- Profile 3: a root CA with two intermediary certificates (one for server, one for client) and leaf pairs signed by the intermediaries
Each profile has a sub-directory in repository root. All profiles use
the same make targets and directory layouts that are as close as possible.
To generate a CA, client and server private key/certificate pairs, run
make from the basic profile directory with PASSWORD environment variable
providing the passphrase:
cd [path to tls-gen repository]/basic
# pass a password using the PASSWORD variable
make PASSWORD=bunnies
# results will be under the ./result directory
ls -lha ./result
Generated CA certificate as well as client and server certificate and private keys will be
under the result directory.
It possible to use ECC for leaf keys:
cd [path to tls-gen repository]/basic
# pass a password using the PASSWORD variable
make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1"
# results will be under the ./result directory
ls -lha ./result
The list of available curves can be obtained with
openssl ecparam -list_curves
To generate a root CA, 2 shared intermediate CAs, client and server key/certificate pairs, run make from
the two_shared_intermediates directory:
make PASSWORD=bunnies
# results will be under the ./result directory
ls -lha ./result
It possible to use ECC for intermediate and leaf keys:
make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1"
# results will be under the ./result directory
ls -lha ./result
The list of available curves can be obtained with
openssl ecparam -list_curves
To generate a root CA, 2 intermediate CAs (one for server, one for client), client and server key/certificate pairs, run make from
the separate_intermediates directory:
make PASSWORD=bunnies
# results will be under the ./result directory
ls -lha ./result
It possible to use ECC for intermediate and leaf keys:
make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1"
# results will be under the ./result directory
ls -lha ./result
The list of available curves can be obtained with
openssl ecparam -list_curves
To generate a new set of keys and certificates, use
make regen PASSWORD=bunnies
The regen target accepts the same variables as gen (default target) above.
You can verify the generated client and server certificates against the generated CA one with
make verify
By default, certificate's CN (Common Name) is calculated using hostname.
It is possible to override CN with an environment variable:
make PASSWORD=bunnies CN=secure.mydomain.local
It is possible to override the number of private key bits with an environment variable:
make PASSWORD=bunnies NUMBER_OF_PRIVATE_KEY_BITS=4096
To display information about generated certificates, use
make info
This assumes the certificates were previously generated.
Mozilla Public License, see LICENSE.