A cross platform command line tool to create a X.509 trust list from various trust stores. (Keywords: CABFORUM, eIDAS, WebPKI)
HTML JavaScript TypeScript
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
built Update tl-create.js Dec 13, 2016
src Update EUTL location again Oct 22, 2016
test Fixed Mozilla parsing Oct 20, 2016
.gitignore Test: tl.filter, tl.concatinate, eutl.CheckSignature May 12, 2016
.travis.yml Update .travis.yml Aug 26, 2016
LICENSE Update LICENSE Aug 7, 2016
README.md
package.json Update build command Oct 22, 2016
tsconfig.json
tslint.json new version of tl-crypto 1.1.0 May 11, 2016
typings.json

README.md

tl-create

license Build Status NPM version

NPM

A cross platform command line tool to create a X.509 trust list from various trust stores.

There are various organizations that produce lists of certificates that they believe should be trusted for one thing or another. The most used is the Mozilla list but there are more, such as the Microsoft list, the Apple list and the European Union "Trust Service Providers" list.

Each of these lists have their own formats, this tool parses the lists provided by these other organizations and extracts the certificates that meet the specified criteria (for "email" as an example) and produces a PEM certificate bag these certificates.

For example to extract the roots that are trusted for email, code and web from both the EU Trust List and the Mozilla list the command would look like this:

node src/bin/tl-create.js --eutl --mozilla --for 'EMAIL_PROTECTION,CODE_SIGNING' --format pem roots.pem

This would produce a file that looked something like this:

 Country: UK
 Operator: European Commission
 Source: EUTL
 -----BEGIN CERTIFICATE-----
 ...
 ...
 -----END CERTIFICATE-----
 Operator: DigiCert, Inc
 For: email, www, code
 Source: Mozilla
 -----BEGIN CERTIFICATE-----
 ...
 ...
 -----END CERTIFICATE-----

Usage

Extract all Microsoft Roots

node src/bin/tl-create.js --microsoft --format pem roots.pem

Valid Microsoft trust purposes

  SERVER_AUTH
  CLIENT_AUTH
  CODE_SIGNING
  EMAIL_PROTECTION
  IPSEC_END_SYSTEM
  IPSEC_TUNNEL
  IPSEC_USER
  TIME_STAMPING
  OCSP_SIGNING
  IPSEC_PROTECTION
  DOCUMENT_SIGNING
  EFS_CRYPTO

Extract all Mozilla Roots

node src/bin/tl-create.js --eutl --format pem roots.pem

Valid Mozilla trust purposes

  DIGITAL_SIGNATURE
  NON_REPUDIATION
  KEY_ENCIPHERMENT
  DATA_ENCIPHERMENT
  KEY_AGREEMENT
  KEY_CERT_SIGN
  CRL_SIGN
  SERVER_AUTH
  CLIENT_AUTH
  CODE_SIGNING
  EMAIL_PROTECTION
  IPSEC_END_SYSTEM
  IPSEC_TUNNEL
  IPSEC_USER
  TIME_STAMPING
  STEP_UP_APPROVED

Extract all Apple Roots

node src/bin/tl-create.js --apple --format pem roots.pem

Extract all EUTL Roots

node src/bin/tl-create.js --eutl --format pem roots.pem

Extract only SERVER_AUTH certificates from Mozilla and Microsoft

node src/bin/tl-create.js --mozilla --microsoft --for "SERVER_AUTH" --format pem roots.pem

NOTE: The default is ALL purposes

Available ouptut formats

js
pkijs
pem

NOTE: Default ouput format is 'js'

Install

git clone https://github.com/PeculiarVentures/tl-create.git
cd tl-create
npm install -g

Bug Reporting

Please report bugs either as pull requests or as issues in the issue tracker. tl-create has a full disclosure vulnerability policy. Please do NOT attempt to report any security vulnerability in this code privately to anybody.

TODO

Related