Certify is an easy-to-use certificate manager and can be used as an alternative to OpenSSL. With Certify you can create your own private CA (Certificate Authority) and issue certificates with your own CA.
- Create a CA and intermediate CA
- Issue certificate with custom common name, ip san, dns san, expiry date, and extended key usage
- Show certificate information from file or remote host
- Export certificate to PKCS12 format
- Verify private key matches with certificate
- Revoke certificate
Download in the release page
_ _ ___
___ ___ ___| |_|_| _|_ _
| _| -_| _| _| | _| | |
|___|___|_| |_| |_|_| |_ |
|___| Certify v1.x
Usage of certify:
certify [flag] [ip-or-dns-san] [cn:default certify] [eku:default serverAuth,clientAuth] [expiry:default 8766h s,m,h,d]
$ certify server.local 172.17.0.1 cn:web-server eku:serverAuth expiry:1d
$ certify -init cn:web-server o:nothinux crl-nextupdate:100d
Flags:
-init
Initialize new root CA Certificate and Key
-intermediate
Generate intermediate certificate
-read <filename>
Read certificate information from file or stdin
-read-crl <filename>
Read certificate revocation list from file or stdin
-connect <host:443> <tlsver:1.2> <insecure> <with-ca:ca-path>
Show certificate information from remote host, use tlsver to set spesific tls version
-export-p12 <cert> <private-key> <ca-cert>
Generate client.p12 pem file containing certificate, private key and ca certificate
-match <private-key> <cert>
Verify cert-key.pem and cert.pem has same public key
-interactive
Run certify interactively
-revoke <certificate> <crl-file> <crl-nextupdate:10d(optional)>
Revoke certificate, the certificate will be added to CRL
-verify-crl <certificate> <crl-file>
Check if the certificate was revoked
-version
print certify version
Create Certificate with CN nothinux and expiry 30 days
# create CA
$ certify -init cn:nothinux o:nothinux
# create Certificate
$ certify cn:nothinux expiry:30d
Create Certificate interactively
$ certify -interactive
Read Certificate
$ certify -read ca-cert.pem
or
$ cat ca-cert.pem | certify -read
You can also use certify as library for your Go application
go get github.com/nothinux/certify
see pkg.go.dev
package main
import (
"crypto/x509/pkix"
"log"
"os"
"time"
"github.com/nothinux/certify"
)
func main() {
p, err := certify.GetPrivateKey()
if err != nil {
log.Fatal(err)
}
if err := os.WriteFile("CA-key.pem", []byte(p.String()), 0640); err != nil {
log.Fatal(err)
}
// create ca
template := certify.Certificate{
Subject: pkix.Name{
Organization: []string{"certify"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(8766 * time.Hour),
IsCA: true,
}
caCert, err := template.GetCertificate(p.PrivateKey)
if err != nil {
log.Fatal(err)
}
if err := os.WriteFile("CA-cert.pem", []byte(caCert.String()), 0640); err != nil {
log.Fatal(err)
}
}