Skip to content
Certificate generation made easy
Go Makefile Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
docker new: use mage file Jan 19, 2018
tglib Fix type error Jul 11, 2019
tgnoob new: licensing May 1, 2019
.gitignore New: Enable Code Coverage reports Nov 7, 2018
LICENSE new: licensing May 1, 2019
Makefile remove gopkg Sep 13, 2019 Update: Add badge to README Nov 7, 2018
doc.go fixed: build May 6, 2019
go.mod seriously? Jun 27, 2019
go.sum seriously? Jun 27, 2019
main.go new: licensing May 1, 2019



tg (short for tlsgen, and also a french pun) makes issuing certificates easy. It only used the standard golang crypto lib (but for generating pkcs12, as go doesn't provide a way to write them. If you want the --p12 option to work, you need openssl installed.)


go get -u


To generate a self signed server certificate:

% tg cert --name mycert --org acme --common-name john --auth-server
INFO[0000] certificate key pair created             cert=mycert-cert.pem key=mycert-key.pem

To generate a CA:

% tg cert --name myca --org acme --common-name root --is-ca --pass secret
INFO[0000] certificate key pair created             cert=myca-cert.pem key=myca-key.pem

To issue a client certificate from a CA:

% tg cert --name myclient --org acme --common-name client \
    --auth-client \
    --signing-cert myca-cert.pem \
    --signing-cert-key myca-key.pem \
    --signing-cert-key-pass secret
INFO[0000] certificate key pair created             cert=myclient-cert.pem key=myclient-key.pem

To verify a certificate:

% tg verify --cert myclient-cert.pem --signer myca-cert.pem
INFO[0000] certificate verified

To generate a CSR and a private key:

% tg csr --name myreq --org acme --common-name client
INFO[0000] Certificate request and private key created   csr=myreq-csr.pem key=myreq-key.pem

To sign a CSR:

% tg sign --name newcert --csr myreq-csr.pem \
    --auth-server \
    --signing-cert myca-cert.pem \
    --signing-cert-key myca-key.pem \
    --signing-cert-key-pass secret
INFO[0000] Certificate issued                            cert=newcert-cert.pem

To encrypt a private key:

% tg encrypt --key myclient-key.pem --pass secret > myclient-key.pem.enc

To decrypt a private key:

% tg decrypt --key myclient-key.pem.enc --pass secret

Lot's of additional options:

tg -h

NOTE: all parameters can be given using env variables. Prefix the argument with TLSGEN_. for instance TLSGEN_OUT for setting output dir.

You can’t perform that action at this time.