Skip to content
/ gocert Public

🔒 Generate Self-Signed TLS/SSL Certificates Pain-Free!

License

Notifications You must be signed in to change notification settings

moorara/gocert

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Go Doc Build Status Go Report Card Test Coverage

gocert

If you are having a hard time every time using openssl for generating self-signed certificates, this tool is for you! A lightweight library and also command-line interface for generating self-signed SSL/TLS certificates using pure go.

asciicast

Install

brew install moorara/brew/gocert

For other platforms, you can download the binary from the latest release.

Quick Start

mkdir certs
cd certs

gocert init
gocert root

gocert intermediate -name=sre
gocert sign -ca=root -name=sre

gocert server -name=webapp
gocert client -name=myservice
gocert sign -ca=sre -name=webapp,myservice

gocert verify -ca=root -name=sre
gocert verify -ca=sre -name=webapp,myservice

Certificates Explained

You can generate the following types of certificates:

  • Root Certificate Authority
  • Intermediate Certificate Authority
  • Server Certificate
  • Client Certificate

Root CA is only used for signing intermediate CA. There is only one root CA called root by default. Root CA never signs user certificates (server or client) directly. It should be keep secured, offline, and unused as much as possible.

Intermediate CA is used for signing server and client certificates. It must be signed by root CA. If an intermediate key is comprised, the root CA can revoke the intermediate CA and create a new one.

Server certificates can be used for securing servers and establishing SSL/TLS servers. They should be signed by an intermediate certificate. The CommonName for server certificates must be a Fully Qualified Domain Name (FQDN).

Client certificates can be used for client authentication and MTLS communications between services. They should be signed by an intermediate certificate.

Default Configs

Type Key Length Expiry Days
Root 4096 7300 (20 years)
Intermediate 4096 3650 (10 years)
Server 2048 375 (~1 year)
Client 2048 40 (~1 month)

You can change these configs by editing state.yaml file.