x509 Certificates are complicated to get right. SSCG makes it easy to generate usable, signed certificates quickly without needing to understand complex openssl, certtool or certutil commands.
sscg is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version, along with an exception permitting the code to link against the OpenSSL library.
/usr/bin/sscg
This will produce a ca.crt and a pair of service.pem and service-key.pem files in the current directory, the latter of which is signed by the private key of the ca.crt. The CA's private key will be destroyed by default after these files are created, so nothing further can be signed by it. (See this blog post for details on why this is desirable.)
Certificates generated by SSCG will be valid by default for securing the current machine's hostname and no others. To add further names (such as for a multi-homed system), look at the --subject-alt-name argument below.
Usage of sscg:
Usage: sscg [OPTION...]
-V, --version Display the version number and exit.
-f, --force Overwrite any pre-existing files in the requested locations
Help options:
-?, --help Show this help message
--usage Display brief usage message
Verbosity options
-q, --quiet Display no output unless there is an error.
-v, --verbose Display progress messages.
-d, --debug Enable logging of debug messages. Implies verbose. Warning! This will print private key information to
the screen!
Certificate Subject options
--lifetime=1-3650 Certificate lifetime (days). (default: 398)
--country=US, CZ, etc. Certificate DN: Country (C). (default: "US")
--state=Massachusetts, British Columbia, etc. Certificate DN: State or Province (ST).
--locality=Westford, Paris, etc. Certificate DN: Locality (L).
--organization=My Company Certificate DN: Organization (O). (default: "Unspecified")
--organizational-unit=Engineering, etc. Certificate DN: Organizational Unit (OU).
--email=myname@example.com Certificate DN: Email Address (Email).
--hostname=server.example.com The valid hostname of the certificate. Must be an FQDN. (default: current system FQDN)
--subject-alt-name alt.example.com Optional additional valid hostnames for the certificate. In addition to hostnames, this option also
accepts explicit values supported by RFC 5280 such as IP:xxx.xxx.xxx.xxx May be specified multiple
times.
Certificate Key Cryptography Options
--key-type={rsa,ecdsa,mldsa} Type of key to use for the certificate private keys. (default: rsa)
--key-strength=2048 or larger Strength of the certificate private keys in bits. This argument is only valid if --key-type is set to
rsa. (default: 2048)
--ec-curve={secp224r1,secp256r1,secp384r1,secp521r1} EC curve to use for the certificate private keys. This argument is only valid if --key-type is set to
ecdsa.
--mldsa-nist-level={2,3,5} NIST level to use for the ML-DSA key. This argument is only valid if --key-type is set to mldsa.
(default: 2)
--hash-alg={sha256,sha384,sha512} Hashing algorithm to use for signing RSA and ECDSA keys. This argument is only valid if --key-type is
rsa or ecdsa. (default: "sha256")
--cipher-alg={des-ede3-cbc,aes-256-cbc} Cipher to use for encrypting key files. (default: "aes-256-cbc")
Certificate Authority File Options
--ca-file=STRING Path where the public CA certificate will be stored. (default: "./ca.crt")
--ca-mode=0644 File mode of the created CA certificate.
--ca-key-file=STRING Path where the CA's private key will be stored. If unspecified, the key will be destroyed rather than
written to the disk.
--ca-key-mode=0600 File mode of the created CA key.
--ca-key-password=STRING Provide a password for the CA key file. Note that this will be visible in the process table for all
users, so it should be used for testing purposes only. Use --ca-keypassfile or --ca-key-password-prompt
for secure password entry.
--ca-key-passfile=STRING A file containing the password to encrypt the CA key file.
-C, --ca-key-password-prompt Prompt to enter a password for the CA key file.
Certificate Revocation List File Options
--crl-file=STRING Path where an (empty) Certificate Revocation List file will be created, for applications that expect
such a file to exist. If unspecified, no such file will be created.
--crl-mode=0644 File mode of the created Certificate Revocation List.
Service Certificate File Options
--cert-file=STRING Path where the public service certificate will be stored. (default "./service.pem")
--cert-mode=0644 File mode of the created certificate.
--cert-key-file=STRING Path where the service's private key will be stored. (default "service-key.pem")
--cert-key-mode=0600 File mode of the created certificate key.
-p, --cert-key-password=STRING Provide a password for the service key file. Note that this will be visible in the process table for
all users, so this flag should be used for testing purposes only. Use --cert-keypassfile or
--cert-key-password-prompt for secure password entry.
--cert-key-passfile=STRING A file containing the password to encrypt the service key file.
-P, --cert-key-password-prompt Prompt to enter a password for the service key file.
Client Authentication Certificate File Options
--client-file=STRING Path where a client authentication certificate will be stored.
--client-mode=0644 File mode of the created certificate.
--client-key-file=STRING Path where the client's private key will be stored. (default is the client-file)
--client-key-mode=0600 File mode of the created certificate key.
--client-key-password=STRING Provide a password for the client key file. Note that this will be visible in the process table for all
users, so this flag should be used for testing purposes only. Use --client-keypassfile or
--client-key-password-prompt for secure password entry.
--client-key-passfile=STRING A file containing the password to encrypt the client key file.
--client-key-password-prompt Prompt to enter a password for the client key file.
Diffie-Hellman Parameter File Options
--dhparams-file=STRING A file to contain a set of Diffie-Hellman parameters. (Default: not created)
--dhparams-named-group=STRING Output well-known DH parameters. The available named groups are: ffdhe2048, ffdhe3072, ffdhe4096,
ffdhe6144, ffdhe8192, modp_2048, modp_3072, modp_4096, modp_6144, modp_8192, modp_1536, dh_1024_160,
dh_2048_224, dh_2048_256. (Default: "ffdhe4096")
--dhparams-generator={2,3,5} The generator value for dhparams. (default: 2)
Build dependencies:
# Fedora/RHEL/CentOS
dnf install meson ninja-build gcc pkgconf-pkg-config
dnf install openssl-devel talloc-devel popt-devel path_utils-devel
dnf install gettext-devel help2man clang-format
# Debian/Ubuntu
apt-get install meson ninja-build gcc pkg-config
apt-get install libssl-dev libtalloc-dev libpopt-dev libpath-utils-dev
apt-get install gettext help2man clang-formatRuntime dependencies:
- OpenSSL 1.1.0+ (libssl, libcrypto)
- talloc
- popt
- path_utils
-
Clone the repository:
git clone https://github.com/sgallagher/sscg.git cd sscg -
Configure the build:
meson setup build
-
Build the project:
ninja -C build
-
Run tests:
ninja -C build test -
Install (optional):
ninja -C build install
Debug build with additional checks:
meson setup build --buildtype=debug
ninja -C buildRelease build:
meson setup build --buildtype=release
ninja -C buildRun slow tests (including DH parameter generation):
meson setup build -Drun_slow_tests=true
ninja -C build testSSCG uses clang-format for consistent code formatting:
Auto-format code:
clang-format -i src/*.c include/*.h test/*.cBasic test suite:
ninja -C build testIndividual tests:
# Run specific test
./build/create_cert_test
./build/create_ca_test
./build/init_bignum_testMemory leak detection:
SSCG_TALLOC_REPORT=true ./build/sscgKey components:
src/sscg.c- Main application entry pointsrc/arguments.c- Command-line argument parsingsrc/authority.c- Certificate Authority managementsrc/cert.c- Certificate creation and signingsrc/x509.c- X.509 certificate operationssrc/key.c- Key generation and managementsrc/io_utils.c- File I/O operationssrc/dhparams.c- Diffie-Hellman parameter generation
Memory management:
- All dynamic memory uses talloc
- Use
TALLOC_CTXfor hierarchical cleanup - Follow talloc parent-child relationships
- Never use
malloc()/free()directly
Error handling:
- Use
CHECK_OK()macro for error propagation - Return appropriate errno values
- Clean up resources on error paths
- Provide meaningful error messages to users
-
Code quality checks:
ninja -C build test -
Test on multiple platforms if possible (Fedora, Ubuntu, etc.)
-
Update translations if you added user-facing strings:
ninja -C build sscg-pot ninja -C build sscg-update-po
-
Create descriptive commit messages:
Add support for ECDSA key generation - Implement ECDSA key creation in key.c - Add curve selection via --key-curve option - Update tests for ECDSA functionality - Update documentation -
Submit pull request with:
- Clear description of changes
- Rationale for the change
- Test results
- Any breaking changes noted
When reporting bugs, include:
- SSCG version (
sscg --version) - Operating system and version
- OpenSSL version
- Complete command line used
- Expected vs. actual behavior
- Any error messages
For security-related issues, please contact the maintainer directly rather than filing a public issue.
GDB debugging:
gdb --args ./build/sscg --debugValgrind for memory checking:
valgrind --leak-check=full --show-leak-kinds=all ./build/sscgMeson configuration issues:
# Clean and reconfigure
rm -rf build
meson setup buildMissing dependencies:
# Check what's missing
meson setup build 2>&1 | grep -i "not found\|missing"Test failures:
# Run tests with verbose output
meson test -C build -vSSCG supports internationalization and can display messages in multiple languages.
To use SSCG in your preferred language, set the LANG environment variable:
LANG=es_ES.UTF-8 sscg --help # Spanish
LANG=fr_FR.UTF-8 sscg --help # French
LANG=de_DE.UTF-8 sscg --help # GermanIf a translation is not available for your language, SSCG will fall back to English.
To create or update translations:
-
Install required tools:
# Fedora/RHEL/CentOS dnf install gettext-devel meson ninja-build # Debian/Ubuntu apt-get install gettext meson ninja-build
-
Set up the build environment:
meson setup build cd build -
Generate/update the translation template:
ninja sscg-pot
-
Create a new translation (replace
LANGwith your language code):msginit -l LANG -i po/sscg.pot -o po/LANG.po
-
Update an existing translation:
msgmerge -U po/LANG.po po/sscg.pot
-
Edit the translation file:
# Use your preferred editor or a specialized tool like poedit vim po/LANG.po -
Test your translation:
ninja LANG=LANG.UTF-8 ./sscg --help
-
Submit your translation: Create a pull request with your
.pofile.
When adding new user-facing strings to the code:
-
Mark strings for translation by wrapping them with
_():fprintf(stderr, _("Error: Could not open file\n"));
-
Update the translation template after adding new strings:
ninja sscg-pot
-
Update existing translations:
ninja sscg-update-po
-
Test with different locales to ensure proper functionality.
Important: Do not internationalize:
- Debug messages (use
fprintf(stderr, "DEBUG: ...")without_()) - Technical error codes or OpenSSL error strings
- Test files and test output
Current translations are maintained in the po/ directory. To see available languages:
ls po/*.poTo check the completion status of translations:
msgfmt --statistics po/LANG.po