All Projects → square → Certstrap

square / Certstrap

Licence: apache-2.0
Tools to bootstrap CAs, certificate requests, and signed certificates.

Programming Languages

go
31211 projects - #10 most used programming language

Projects that are alternatives of or similar to Certstrap

Mutual Tls Ssl
🔐 Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k, Kohttp and ktor. Also other server examples are available such as jersey with grizzly. Also gRPC examples are included
Stars: ✭ 163 (-90.35%)
Mutual labels:  ssl, tls, certificate, certificate-authority
Certigo
A utility to examine and validate certificates in a variety of formats
Stars: ✭ 662 (-60.81%)
Mutual labels:  crypto, ssl, tls, certificate
Forge
A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps
Stars: ✭ 4,204 (+148.9%)
Mutual labels:  crypto, tls, certificate, csr
Ssl Checker
Python script that collects SSL/TLS information from hosts
Stars: ✭ 94 (-94.43%)
Mutual labels:  ssl, tls, certificate
Certificaat
General-purpose ACME client
Stars: ✭ 88 (-94.79%)
Mutual labels:  ssl, certificate, bootstrap
Mbedtls
An open source, portable, easy to use, readable and flexible SSL library
Stars: ✭ 3,282 (+94.32%)
Mutual labels:  crypto, ssl, tls
freshcerts
ACME certificate protocol (Let's Encrypt) proxy client with a dashboard and monitoring
Stars: ✭ 59 (-96.51%)
Mutual labels:  tls, ssl, certificate
S2n Tls
s2n : an implementation of the TLS/SSL protocols
Stars: ✭ 4,029 (+138.54%)
Mutual labels:  crypto, ssl, tls
O Saft
O-Saft - OWASP SSL advanced forensic tool
Stars: ✭ 306 (-81.88%)
Mutual labels:  ssl, tls, certificate
Pki
The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
Stars: ✭ 97 (-94.26%)
Mutual labels:  ssl, certificate, certificate-authority
Pem
Create private keys and certificates with node.js
Stars: ✭ 496 (-70.63%)
Mutual labels:  ssl, tls, certificate
Sortpem
➿ Sorting utility for PEM files
Stars: ✭ 11 (-99.35%)
Mutual labels:  ssl, tls, certificate
Ghostunnel
A simple SSL/TLS proxy with mutual authentication for securing non-TLS services
Stars: ✭ 1,296 (-23.27%)
Mutual labels:  crypto, ssl, tls
ACMECert
PHP client library for Let's Encrypt (ACME v2 - RFC 8555)
Stars: ✭ 83 (-95.09%)
Mutual labels:  ssl, certificate, csr
Ssl Certificate Chain Resolver
SSL certificate chain resolver
Stars: ✭ 277 (-83.6%)
Mutual labels:  ssl, certificate, certificate-authority
letsencrypt-www
Probably the easiest way to create | renew | deploy certificate
Stars: ✭ 27 (-98.4%)
Mutual labels:  tls, ssl, certificate
Acme client
Java ACME Client application
Stars: ✭ 77 (-95.44%)
Mutual labels:  ssl, tls, certificate
diyca
Do-It-Yourself Certificate Authority
Stars: ✭ 18 (-98.93%)
Mutual labels:  tls, ssl, certificate-authority
qsslcaudit
test SSL/TLS clients how secure they are
Stars: ✭ 22 (-98.7%)
Mutual labels:  tls, ssl, certificate
Ssl Proxy
🔒 Simple zero-config SSL reverse proxy with real autogenerated certificates (LetsEncrypt, self-signed, provided)
Stars: ✭ 427 (-74.72%)
Mutual labels:  ssl, tls, certificate

certstrap

godoc CI license

A simple certificate manager written in Go, to bootstrap your own certificate authority and public key infrastructure. Adapted from etcd-ca.

certstrap is a very convenient app if you don't feel like dealing with openssl, its myriad of options or config files.

Common Uses

certstrap allows you to build your own certificate system:

  1. Initialize certificate authorities
  2. Create identities and certificate signature requests for hosts
  3. Sign and generate certificates

Certificate architecture

certstrap can init multiple certificate authorities to sign certificates with. Users can make arbitrarily long certificate chains by using signed hosts to sign later certificate requests, as well.

Examples

Getting Started

Building

certstrap must be built with Go 1.13+. You can build certstrap from source:

$ git clone https://github.com/square/certstrap
$ cd certstrap
$ go build

This will generate a binary called certstrap under project root folder.

Initialize a new certificate authority:

$ ./certstrap init --common-name "CertAuth"
Created out/CertAuth.key
Created out/CertAuth.crt
Created out/CertAuth.crl

Note that the -common-name flag is required, and will be used to name output files.

Moreover, this will also generate a new keypair for the Certificate Authority, though you can use a pre-existing private PEM key with the -key flag.

If the CN contains spaces, certstrap will change them to underscores in the filename for easier use. The spaces will be preserved inside the fields of the generated files:

$ ./certstrap init --common-name "Cert Auth"
Created out/Cert_Auth.key
Created out/Cert_Auth.crt
Created out/Cert_Auth.crl

Request a certificate, including keypair:

$ ./certstrap request-cert --common-name Alice
Created out/Alice.key
Created out/Alice.csr

certstrap requires either -common-name or -domain flag to be set in order to generate a certificate signing request. The CN for the certificate will be found from these fields.

If your server has mutiple ip addresses or domains, use comma seperated ip/domain/uri list. eg: ./certstrap request-cert -ip $ip1,$ip2 -domain $domain1,$domain2 -uri $uri1,$uri2

If you do not wish to generate a new keypair, you can use a pre-existing private PEM key with the -key flag

Sign certificate request of host and generate the certificate:

$ ./certstrap sign Alice --CA CertAuth
Created out/Alice.crt from out/Alice.csr signed by out/CertAuth.key

PKCS Format:

If you'd like to convert your certificate and key to PKCS12 format, simply run:

$ openssl pkcs12 -export -out outputCert.p12 -inkey inputKey.key -in inputCert.crt -certfile CA.crt

inputKey.key and inputCert.crt make up the leaf private key and certificate pair of your choosing (generated by a sign command), with CA.crt being the certificate authority certificate that was used to sign it. The output PKCS12 file is outputCert.p12

Key Algorithms:

Certstrap supports curves P-224, P-256, P-384, P-521, and Ed25519. Curve names can be specified by name as part of the init and request_cert commands:

$ ./certstrap init --common-name CertAuth --curve P-256
Created out/CertAuth.key
Created out/CertAuth.crt
Created out/CertAuth.crl

$ ./certstrap request-cert --common-name Alice --curve P-256
Created out/Alice.key
Created out/Alice.csr

Retrieving Files

Outputted key, request, and certificate files can be found in the depot directory. By default, this is in out/

Project Details

Contributing

See CONTRIBUTING for details on submitting patches.

License

certstrap is under the Apache 2.0 license. See the LICENSE file for details.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].