Minica is a simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used. It automatically generates both a key and a certificate when asked to produce a certificate. It does not offer OCSP or CRL services. Minica is appropriate, for instance, for generating certificates for RPC systems or microservices.
On first run, minica will generate a keypair and a root certificate in the current directory, and will reuse that same keypair and root certificate unless they are deleted.
On each run, minica will generate a new keypair and sign an end-entity (leaf) certificate for that keypair. The certificate will contain a list of DNS names and/or IP addresses from the command line flags. The key and certificate are placed in a new directory whose name is chosen as the first domain name from the certificate, or the first IP address if no domain names are present. It will not overwrite existing keys or certificates.
By default, the CA certificate will have a validity of 2 years and 30 days, and end-entity certificates will have a validity of 2 years and 30 days.
First, install the Go tools and set up your $GOPATH.
Then, run:
go install github.com/emaballarin/minica@latest
When using Go 1.11 or newer you don't need a $GOPATH and can instead do the following:
cd /ANY/PATH
git clone https://github.com/emaballarin/minica.git
go build
## or
# go install
Mac OS users could alternatively use Homebrew: brew install minica
Minica supports three cryptographic algorithms for key generation:
- Security Level: ~152-bit
- Use Case: Maximum compatibility, long-term security
- Performance: Slower key generation (~1-3 seconds)
- Security Level: ~256-bit
- Use Case: High security with good performance
- Performance: Fast key generation (<100ms)
- Security Level: ~128-bit
- Use Case: Modern applications, best performance
- Performance: Very fast key generation (<50ms)
- Compatibility Requirements:
- OpenSSL 1.1.1+ (released September 2018)
- Java 15+ or BouncyCastle library
- Modern browsers (Chrome 70+, Firefox 63+, Safari 12.1+)
- Python: cryptography 2.6+
- Not supported on legacy systems (pre-2018)
Note: Ed25519 is recommended for modern internal infrastructure. For maximum compatibility with legacy systems, use RSA or ECDSA.
# Generate a root key and cert in minica-key.pem, and minica.pem, then
# generate and sign an end-entity key and cert, storing them in ./foo.com/
$ minica --domains foo.com
# Wildcard
$ minica --domains '*.foo.com'
# Specify the cryptographic algorithm (default is ECDSA)
$ minica --ca-alg rsa --domains foo.com # Use RSA 4096-bit
$ minica --ca-alg ecdsa --domains bar.com # Use ECDSA P-521 (default)
$ minica --ca-alg ed25519 --domains baz.com # Use Ed25519
# Generate long-lived certificates (100 years)
$ minica --long-lived-ca --long-lived-ee --domains example.com
# Reuse existing keys when regenerating certificates
$ minica --reuse-keys --domains foo.com