insecure

README

Insecure

Generate deterministic TLS certificates for local Go development servers. The certificates use a P-256 ECDSA private key generated with a total lack of randomness.

Optionally, the certificates generated by this package will be signed by your local mkcert root CA. See the mkcert docs for more information.

Why?

So your browser can trust a single certificate from your development servers, and dev/test with TLS. Do not use in production.

Install

go get github.com/alta/insecure

Local CA

This package works with mkcert to generate certificates that are signed by your machine’s local certificate authority (CA). To use this feature, run mkcert -install on your development machine before generating a certificate.

Usage

Get a TLS certificate suitable for localhost, 127.0.0.1, etc:

cert, err := insecure.Cert()

Get a TLS certificate for a specific set of subject alternative names:

cert, err := insecure.Cert("crowbar.local", "::1", "192.168.0.42")

Get a certificate pool that trusts cert, useful for building net/http clients that call other services using cert:

pool, err := insecure.Pool(cert)

Note

Seriously, do not use this in production.

Author

Originally developed by @cee-dub for Alta Software LLC.

This package includes functions adapted from mkcert. Neither the authors of mkcert nor Google, Inc. have promoted or endorsed this project.

Documentation

Index

• Constants
• func CA() (cert *x509.Certificate, key crypto.PrivateKey, err error)
• func CAPEM() (cert []byte, key []byte, err error)
• func Cert(sans ...string) (tls.Certificate, error)
• func Key() (priv *ecdsa.PrivateKey, err error)
• func LocalSANs() []string
• func PEM(sans ...string) (cert []byte, key []byte, err error)
• func Pool(cert tls.Certificate) (*x509.CertPool, error)

Constants

const (
	// SerialNumber is a constant magic number used in generated certificates.
	SerialNumber = 42

	// Organization is used in the x509 subject.
	Organization = "Insecure; DO NOT USE IN PRODUCTION"
)

Functions

func CA

func CA() (cert *x509.Certificate, key crypto.PrivateKey, err error)

CA returns the mkcert CA certificate and key if found. Returns an error if either fail to load or parse.

func CAPEM

func CAPEM() (cert []byte, key []byte, err error)

CAPEM returns the raw PEM mkcert CA certificate and key if found. Returns an error if either doesn’t exist or fails to load.

func Cert

func Cert(sans ...string) (tls.Certificate, error)

Cert returns a deterministic self-signed certificate and private key for the specified list of SANs. If SANs are not specified, a default set of local SANs will be used.

func Key

func Key() (priv *ecdsa.PrivateKey, err error)

Key returns a P-256 ECDSA private key generated WITHOUT randomess.

func LocalSANs

func LocalSANs() []string

LocalSANs is a default list of local SANs (Subject Alternative Names) used for generating an insecure local certificate. The return value may be mutated.

func PEM

func PEM(sans ...string) (cert []byte, key []byte, err error)

PEM returns a self-signed certificate and private key in PEM format for the specified list of SANs. If SANs are not specified, a default set of local SANs will be used.

func Pool

func Pool(cert tls.Certificate) (*x509.CertPool, error)

Pool returns a certifiate pool that trusts cert. To use, assign to the RootCAs field of a tls.Config. Will panic if cert is nil or contains no certificates.