No description, website, or topics provided.
Go Shell
Switch branches/tags
Nothing to show
Clone or download
jonboulle Merge pull request #66 from yichengq/master
mention deprecation in README
Latest commit c3dd5ec Nov 18, 2015


A simple certificate manager written in Go. Easy to use with limited capability.

Build Status


etcd now uses cfssl as the official tool to generate certificates. cfssl provides more features and is well maintained. We provide an example using the tool here.

Common Uses

etcd-ca allows you to build your own certificate system:

  1. Create certificate authority
  2. Create, issue and export host certificates
  3. Manage host identities
  4. Deploy a Public Key Infrastructure

Primarly used for coreos/etcd SSL/TLS testing.

Certificate architecture

etcd-ca inits a certificate authority, and issues certificates using the authority only. It indicates the length of authorization path is at most 2.


Create a new certificate authority:

$ ./etcd-ca init
Created ca/key
Created ca/crt

Create a new host identity, including keypair and certificate request:

$ ./etcd-ca new-cert alice
Created alice/key
Created alice/csr

etcd-ca uses for IP SAN in default. If etcd has peer address $etcd_ip other than, run ./etcd-ca new-cert -ip $etcd_ip alice instead.

If your server has mutiple ip addresses or domains, use comma seperated ip/domain list with -ip/-domain. eg: ./etcd-ca new-cert -ip $etcd_ip1,$etcd_ip2 -domain $etcd_domain1,$etcd_domain2

Sign certificate request of host and generate the certificate:

$ ./etcd-ca sign alice
Created alice/crt from alice/csr signed by ca.key

Export the certificate chain for host:

$ ./etcd-ca chain alice
CA certificate body
alice certificate body

Package up the certificate and key of host:

$ ./etcd-ca export alice > alice.tar

Because etcd takes unencrypted key for -key-file and -peer-key-file, you should use ./etcd-ca export --insecure alice > alice.tar to export private key.

List the status of all certificates:

$ ./etcd-ca status
ca: WARN (60 days until expiration)
alice: OK (120 days until expiration)
bob: Unsigned

Getting Started


etcd-ca must be built with Go 1.3+. You can build etcd-ca from source:

$ git clone
$ cd etcd-ca
$ ./build

This will generate a binary called ./bin/etcd-ca


generate certificates for etcd

Project Details


See CONTRIBUTING for details on submitting patches and contacting developers via IRC and mailing lists.


etcd-ca is under the Apache 2.0 license. See the LICENSE file for details.