Skip to content
/ certs Public

openssl is super annoying to use

Notifications You must be signed in to change notification settings

taybart/certs

Folders and files

NameName
Last commit message
Last commit date
Jul 3, 2020
Apr 20, 2021
Mar 2, 2021
Aug 19, 2020
Apr 12, 2023
Apr 20, 2021
Mar 2, 2021
Jun 11, 2021
Dec 11, 2024
Dec 11, 2024
Mar 3, 2021

Repository files navigation

Certs

A tool for dealing with certificates. I recommend using smallstep for any real ca stuff.

Table of Contents

Installation

Configuration

Usage

Todo

Installation

$ go install github.com/taybart/certs/cmd/certs@latest

Configuration

Cert's configuration lives at $HOME/.config/certs/config.json Using "" as the key will prompt for the password during the command, this is the recommended use. Setting the password to _ will not add a password to the ca key.

{
  "ca": {
    "name": "my-ca",
    "key": "/home/user/.config/certs/ca.key",
    "crt": "/home/user/.config/certs/ca.crt",
    "scheme": "ed25519"
  },
  "default_subject": {
    "common_name": "taybart",
    "organizational_unit": ["Engineering"],
    "organization": ["taybart"],
    "street_address": [""],
    "postal_code": [""],
    "locality": [""],
    "province": [""],
    "country": [""]
  }
}

Usage

Usage of certs:
  -c string
        Config file location (default "/home/taylor/.config/certs")
  -csr string
        Generate CSR
  -f string
        File to sign
  -gen
        Generate new CA
  -p string
        Print certificate contents
  -scheme string
        Cryptographic scheme for certs [ed25519, ecdsa{256, 384, 512}, rsa{2048, 4096}] (default "ed25519")
  -sign
        Sign request
  -signca
        Sign request as CA
  -system
        Validate using certs CA
  -verify string
        Check cert validity
  -w    Write values to file

Generating a Certificate Authority

$ certs -gen

Create CSR

$ certs -w -csr test.localhost

From file

{
  "dns_names": ["test.com"],
  "subject": {
    "common_name": "Hello dot com",
    "organizational_unit": ["Engineering"],
    "organization": ["Test inc"],
    "street_address": ["1234 Real St"],
    "postal_code": ["12345"],
    "locality": ["Denver"],
    "province": ["Colorado"],
    "country": ["US"]
  },
  "scheme": "ecdsa256"
}
$ certs -w -csr ./csr.json

Sign request

$ certs -w -sign -f ./test.localhost.csr

Create CSR and sign

$ certs -csr ./csr.json -pipe | go run ./cmd/certs -sign -w
CA Password (hit enter if unencrypted)
-> ✓

Validate certificate

System roots

$ certs -verify -system ./test.localhost.crt
DNSNames: [test.localhost]
SerialNumber: 33402702424818636287940487352184976883

Subject: test.localhost
         Company
         1999 Broadway St, Denver Colorado

Issuer:  my-ca
         Company
         1999 Broadway St, Denver Colorado

KeyUsage: [DigitalSignature CRLSign]
ExtKeyUsage: [ServerAuth OCSPSigning]

PublicKeyAlgorithm: Ed25519
SignatureAlgorithm: Ed25519

Signature:
      202194762a98b48945cd5cf190fbc300246477c41b8ea4d4c2
      43e0871fcb8bd0087abd167da58640dcd394440b6f45309a35
      4b801ec310b3a8dd10ef8a74c007

Certificate invalid invalid cert x509: certificate signed by unknown authority
exit status 1

Certs CA

$ certs -verify ./test.localhost.crt
DNSNames: [test.localhost]
SerialNumber: 33402702424818636287940487352184976883

Subject: test.localhost
         Company
         1234 Real St, Denver Colorado

Issuer:  ca
         Company
         1234 Real St, Denver Colorado

KeyUsage: [CRLSign DigitalSignature]
ExtKeyUsage: [ServerAuth OCSPSigning]

PublicKeyAlgorithm: Ed25519
SignatureAlgorithm: Ed25519

Signature:
      202194762a98b48945cd5cf190fbc300246477c41b8ea4d4c2
      43e0871fcb8bd0087abd167da58640dcd394440b6f45309a35
      4b801ec310b3a8dd10ef8a74c007

Certificate valid

Validate remote certificate

System roots

$ certs -verify example.com:443
DNSNames: [www.example.org example.com example.edu example.net example.org www.example.com www.example.edu www.example.net]
SerialNumber: 21020869104500376438182461249190639870

Subject: www.example.org
         Internet Corporation for Assigned Names and Numbers Technology
         Los Angeles California

Issuer:  DigiCert SHA2 Secure Server CA
         DigiCert Inc


KeyUsage: [DigitalSignature KeyEncipherment]
ExtKeyUsage: [ServerAuth ClientAuth]

PublicKeyAlgorithm: RSA
SignatureAlgorithm: SHA256-RSA

Signature:
      737085ef4041a76a43d5789c7b5548e6bc6b9986bafb0d038b
      78fe11f029a00ccd69140bc60478b2cef087d5019dc4597a71
      fef06e9ec1a0b0912d1fea3d55c533050ccdc13518b06a6866
      4cbf5621da5bd948b98c3521915ddc75d77a462c2227a66fd3
      3a17ebbebd13c5122673c05da335896afb27d4ddaa74742e37
      e5013ba6d030b083d0a1c4752185b2e5fa670030a2bc53834d
      bfd6a883bbbcd6ed1cb31ef1580382008e9cef90f21a5fa2a3
      06da5dbe9fda5da6e62fde588018d3f1627ba6a39faea86972
      638165ae8283a3b5978a9b2051ff1a3f61401e48d06b38f9e1
      fa17d8774a88e63d36244fef0ab99f70f38327f8cf2a057510
      a18a0a8088cd
OCSPServer: [http://ocsp.digicert.com]

Remote chain valid
System check valid

Output to stdout

Removing -w will output results to stdout.

$ certs -sign ./test.localhost.csr
-----BEGIN PRIVATE KEY-----
KEY
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE REQUEST-----
CSR
-----END CERTIFICATE REQUEST-----

-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----

Print certificate info

$ certs -sign test.localhost -w
$ certs -output ./test.localhost.crt
DNSNames: [test.localhost]
SerialNumber: 33402702424818636287940487352184976883

Subject: test.localhost
         Company
         1999 Broadway St, Denver Colorado

Issuer:  my-ca
         Company
         1999 Broadway St, Denver Colorado

KeyUsage: [CRLSign DigitalSignature]
ExtKeyUsage: [ServerAuth OCSPSigning]

PublicKeyAlgorithm: Ed25519
SignatureAlgorithm: Ed25519

Signature:
      202194762a98b48945cd5cf190fbc300246477c41b8ea4d4c2
      43e0871fcb8bd0087abd167da58640dcd394440b6f45309a35
      4b801ec310b3a8dd10ef8a74c007

Print remote certificate chain

$ certs -remote example.com:443
DNSNames: [www.example.org example.com example.edu example.net example.org www.example.com www.example.edu www.example.net]
SerialNumber: 21020869104500376438182461249190639870

Subject: www.example.org
         Internet Corporation for Assigned Names and Numbers Technology
         Los Angeles California

Issuer:  DigiCert SHA2 Secure Server CA
         DigiCert Inc


KeyUsage: [DigitalSignature KeyEncipherment]
ExtKeyUsage: [ServerAuth ClientAuth]

PublicKeyAlgorithm: RSA
SignatureAlgorithm: SHA256-RSA

Signature:
      737085ef4041a76a43d5789c7b5548e6bc6b9986bafb0d038b
      78fe11f029a00ccd69140bc60478b2cef087d5019dc4597a71
      fef06e9ec1a0b0912d1fea3d55c533050ccdc13518b06a6866
      4cbf5621da5bd948b98c3521915ddc75d77a462c2227a66fd3
      3a17ebbebd13c5122673c05da335896afb27d4ddaa74742e37
      e5013ba6d030b083d0a1c4752185b2e5fa670030a2bc53834d
      bfd6a883bbbcd6ed1cb31ef1580382008e9cef90f21a5fa2a3
      06da5dbe9fda5da6e62fde588018d3f1627ba6a39faea86972
      638165ae8283a3b5978a9b2051ff1a3f61401e48d06b38f9e1
      fa17d8774a88e63d36244fef0ab99f70f38327f8cf2a057510
      a18a0a8088cd
OCSPServer: [http://ocsp.digicert.com]
DNSNames: []
SerialNumber: 2646203786665923649276728595390119057

Certificate is a CA

Subject: DigiCert SHA2 Secure Server CA
         DigiCert Inc


Issuer:  DigiCert Global Root CA
         DigiCert Inc www.digicert.com


KeyUsage: [DigitalSignature CertSign CRLSign]
ExtKeyUsage: []

PublicKeyAlgorithm: RSA
SignatureAlgorithm: SHA256-RSA

Signature:
      233edf4bd23142a5b67e425c1a44cc69d168b45d4be004216c
      4be26dccb1e0978fa65309cdaa2a65e5394f1e83a56e5c98a2
      2426e6fba1ed93c72e02c64d4abfb042df78dab3a8f96dff21
      855336604c76ceec38dcd65180f0c5d6e5d44d2764ab9bc73e
      71fb4897b8336dc91307ee96a21b1815f65c4c40edb3c2ecff
      71c1e347ffd4b900b43742da20c9ea6e8aee1406ae7da25998
      88a81b6f2df4f2c9145f26cf2c8d7eed37c0a9d539b982bf19
      0cea34af002168f8ad73e2c932da38250b55d39a1df06886ed
      2e4134ef7ca5501dbf3af9d3c1080ce6ed1e8a5825e4b877ad
      2d6ef552ddb4748fab492e9d3b9334281f78ce94eac7bdd3c9
      6d1cde5c32f3
OCSPServer: [http://ocsp.digicert.com]
DNSNames: []
SerialNumber: 10944719598952040374951832963794454346

Certificate is a CA

Subject: DigiCert Global Root CA
         DigiCert Inc www.digicert.com


Issuer:  DigiCert Global Root CA
         DigiCert Inc www.digicert.com


KeyUsage: [CRLSign CertSign DigitalSignature]
ExtKeyUsage: []

PublicKeyAlgorithm: RSA
SignatureAlgorithm: SHA1-RSA

Signature:
      cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a324
      18fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab
      11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e4
      0760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266
      d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d288245
      3e7954922698e08048a837eff0d6796016deace80ecd6eac44
      17382f49dae1453e2ab93653cf3a5006f72ee8c457496c6121
      18d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c
      8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec
      2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6
      e9d595956dde

Todo

  • Validate and print remote TLS certificates [HTTP/1.1]

  • Validate and print remote TLS certificates [gRPC & HTTP/2]

  • Sign certs with yubikey

  • Add encrypted and signed audit logs

  • Password protect ca key

  • Pull CA from secret manager

  • Store certificates in secret manager

  • Create Kubernetes secrets and/or hook into cert-manager