Skip to content
This repository has been archived by the owner on Apr 23, 2024. It is now read-only.
/ myca Public archive

CLI TLS certificate chain generation utility

License

Notifications You must be signed in to change notification settings

tbro/myca

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

myca

This was a small project, an improved version of which was included in rcgen. You should use that instead of this.

My CA is a developer tool to generate TLS certificate chains. It is meant to be used in developer workflow, and can currently generate certificate chain consisting of 1 Root CA and 1 end-entity certificate, along with private keys. End-entity will be signed by Root CA.

features

  • easy
  • tested
  • flexible

installation

Easiest method is currently cargo install myca. You can also clone this repo and build it with cargo build.

usage

Having compiled the binary you can simply pass a path to output generated files.

myca -o output/dir/

I the output directory you will find these files:

  • cert.pem (end-entity's X509 certificate, signed by root-ca's key)
  • cert.key.pem (end-entity's private key)
  • root-ca.pem (ca's self-signed x509 certificate)
  • root-ca.key.pem (ca's private key)

The root-ca.key.pem is only present in case you want to do something later with it like sign more end-entity certificates. If you plan on using these files as anything more than temporary throw away secrets for testing/development, you should be very careful what you do with it. If you don't need it, destroy it.

or with cargo run

cargo run -- -o output/dir

You can then use this same tool to view the output certificate's (or any x509 certificate) contents.

myca --parse path/to/cert.pem

For complete list of supported options:

myca --help

FAQ

What signature schemes are available?

  • pkcs_ecdsa_p256_sha256
  • pkcs_ecdsa_p384_sha384
  • pkcs_ed25519
  • pkcs_rsa_sha256
  • pkcs_rsa_sha384
  • pkcs_rsa_sha512

Why can't my client authenticate with server?

Make sure you pass --clientauth when generating certificate for client authentication.

How do I use this for mutual authentication?

Essentially, run myca twice. Copy root-ca.pem to the authticator and copy cert.pem and cert.key.pem to the thing desiring authentication. That is probably not a very good explanation. Let me think about it and ask again later.

justification

Self-signed certificates are great, but they don't allow you to test authentication. Openssl wrapped in bash is great, but you have to know many things to output a valid certificate chain. As your application evolves, your collection of bash scripts may become large and difficult to maintain. This tool is mean to be easy enough to generate a valid certificate chain by only supplying a directory to output them into, and flexible enough that you can easily modify the parameters you need.

About

CLI TLS certificate chain generation utility

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages