Creating a certificate authority the easy way
Switch branches/tags
Nothing to show
Clone or download

Build Status codecov


Easy Public Key Infrastructure intends to provide most of the components needed to manage a PKI, so you can either use the API in your automation, or use the CLI.



For the latest API:

import ""

Legacy API

API below pkg/ has been rewritten to allow extensibility in terms of PKI storage and better readability.

If you used the legacy API that was only writing files to disk, a tag has been applied so you can still import it:

import ""


Current implementation of the CLI uses the local store and uses a structure compatible with openssl, so you are not restrained.

# Get the CLI:
go get

# You can also pass the following through arguments if you do not want to use
# env variables.
export PKI_ROOT=/tmp/pki
export PKI_ORGANIZATION="Acme Inc."
export PKI_LOCALITY="Agloe"
export PKI_PROVINCE="New York"

mkdir $PKI_ROOT

# Create the root CA:
easypki create --filename root --ca "Acme Inc. Certificate Authority"

# In the following commands, ca-name corresponds to the filename containing
# the CA.

# Create a server certificate for and
easypki create --ca-name root --dns --dns

# Create an intermediate CA:
easypki create --ca-name root --filename intermediate --intermediate "Acme Inc. - Internal CA"

# Create a wildcard certificate for internal use, signed by the intermediate ca:
easypki create --ca-name intermediate --dns "*" "*"

# Create a client certificate:
easypki create --ca-name intermediate --client --email

# Revoke the www certificate.
easypki revoke $PKI_ROOT/root/certs/

# Generate a CRL expiring in 1 day (PEM Output on stdout):
easypki crl --ca-name root --expire 1

You will find the generated certificates in $PKI_ROOT/ca_name/certs/ and private keys in $PKI_ROOT/ca_name/keys/

For more info about available flags, checkout out the help easypki -h.


This is not an official Google product.