Skip to content

developaaah/myCA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github/workflows
.github/workflows
 
 
assets
assets
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

MyCA Logo

myCA - Minimalistic Internal PKI Tool

A lightweight Go-based CLI tool for managing an internal Public Key Infrastructure (PKI).

  • Generates and maintains a self-signed Root CA
  • Issues and renews service and client certificates
  • Renew Certificates when they approach expiration
  • Optional PKCS#12 (.p12) export for browser/user usage
  • Supports both server and client certificates (mTLS)
  • Made with Ansible in mind

Installation

# Clone repository
git clone https://github.com/developaaah/myCA.git
cd myCa

# Download dependencies
go mod download

# Build binary
make all

Quick Start

Create a Root CA (one-time)

./bin/myca ca -dir /etc/pki/internal \
  -cn "My Org Internal Root CA" \
  -org "My Org" \
  -days 3650

This creates the ca-cert.pem and ca-key.pem files in the specified directory.

Note: Never share the ca-key.pem file with anyone! This file should always be kept private and local.

Issue Service Certificate

In this example we'll use Nomad as the Service.

./bin/myca cert \
  -cn "nomad-server-1.internal" \
  -dns "nomad-server-1.internal,nomad.service.consul" \
  -ip "10.0.0.10"
  -dir /etc/nomad/tls

This will generate the following files:

/etc/nomad/tls/nomad-server-1.internal.crt
/etc/nomad/tls/nomad-server-1.internal.key

Generate .p12 for browser/user certificate

./bin/myca cert \
  -cn "alice" \
  -dir ./users
  -p12
  -p12-pass "SuperSecure"

This creates:

./users/alice.crt
./users/alice.key
./users/alice.p12  ← suitable for browser import

Note: The PKCS#12 password is optional.

Typical Use Cases

Use Case Command
Nomad myca cert -cn <hostname> -dir /etc/nomad/tls
Consul myca cert -cn "consul-server-1.internal" -dir /etc/consul/tls
HAProxy mTLS myca cert -cn "haproxy-client" -dir /etc/haproxy/tls
User Certificate myca cert -cn "alice" -dir ./users -p12 -p12-pass "password"

Usage with Ansible

- name: Issue/Renew Service Certificate
  shell: |
    myca cert \
      -cn "myservice.services.internal" \
      -dns "myservice.services.internal,services.internal" \
      -ip "10.0.0.1" \
      -dir "/etc/myservice/tls"
  register: myca_result
  changed_when: "'Issued certificate' in myca_result.stdout"

Best Practices

  • Keep the Root CA private and local
  • Use automation to renew certificates frequently
  • Use mTLS internally for service-to-service communication
  • Rotate certificates proactively
  • Consider Vault/ACME integration for larger infrastructures

Contributing

Contributions are welcome!
I'm no Go developer (yet), so any help is appreciated.

License

MIT License – feel free to use and adapt.

About

A lightweight Go-based CLI tool for managing an internal Public Key Infrastructure (PKI).

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Dec 1, 2025

Packages

 
 
 

Contributors

Languages