README
¶
certcut
Quick certificate generation and loading.
Install
go get -u github.com/Urethramancer/certcut
Why
I needed simpler, automated generation of self-signed server and client certificates for various projects, both gRPC client certificate authentication and general web servers.
How
Example of generating a server certificate:
// Create a server key
key, err := certcut.NewKey(4096) // 2048 is the default if you supply anything less
if err != nil {
return err
}
// Get the PEM with PrivateKeyPEM()
// Once saved, you can load it with LoadPrivateKeyFromPEM()
// Create a certificate authority (server certificate)
b, err := certcut.NewCA(key, "MiskatonicU")
if err != nil {
return err
}
// Get the PEM with CertPEM()
// Load it again with LoadCertFromPEM()
// Create a certificate revocation list
crl, err := certcut.NewCRL(key, b, nil) // Supply []pkix.RevokedCertificate as the last argument
if err != nil {
return err
}
// Get the PEM with CRLPEM()
// Load it with LoadCRLFromPEM()
Note that this package only cares about the Common Name for certificates etc., as it's intended for internal use and not to generate certificates/signing requests for a public CA.
Signing host (client) certificates:
// Continuing from the above example, we generate the key and cert for a client.
// Create a client key
clientkey, err := certcut.NewKey(4096)
if err != nil {
return err
}
// Get the PEM with PrivateKeyPEM()
cn := "WDyer"
// Generate a certificate signing request
csrbuf, err := certcut.NewCSR(clientkey, cn)
if err != nil {
return err
}
// It's not strictly necessary to store these, especially for internal use,
// but you are free to use CSRPEM() if you need it. A corresponding
// LoadCSRFromPem() function is also available.
csr, err := x509.ParseCertificateRequest(csrbuf)
if err != nil {
return err
}
cacrt, err := certcut.NewClientCert(serverkey, clientkey, cn, ca, csr)
if err != nil {
return err
}
gRPC
There's a convenience function for the grpc package to load both the CA cert and the client cert at once into a TLS config:
creds, err := certcut.NewClientTLSFromFiles("server.crt", "client.crt", "client.key")
...
conn, err := grpc.Dial(address, grpc.WithTransportCredentials(creds))
It's a drop-in replacement for gRPC's NewClientTLSFromFile().
Documentation
¶
Index ¶
- func CRLPEM(b []byte) []byte
- func CSRPEM(b []byte) []byte
- func CertPEM(b []byte) []byte
- func HashSubjectKeyID(key *rsa.PublicKey) ([]byte, error)
- func LoadCRLFromPEM(path string) (*pkix.CertificateList, error)
- func LoadCSRFromPEM(path string) (*x509.CertificateRequest, error)
- func LoadCertFromPEM(path string) ([]byte, error)
- func LoadPrivateKeyFromPEM(path string) (*rsa.PrivateKey, error)
- func LoadPublicKeyFromPEM(path string) (interface{}, error)
- func NewCA(key *rsa.PrivateKey, cn string) ([]byte, error)
- func NewCRL(key *rsa.PrivateKey, cert []byte, list []pkix.RevokedCertificate) ([]byte, error)
- func NewCSR(key *rsa.PrivateKey, cn string) ([]byte, error)
- func NewClientCert(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, cn string, ca []byte, ...) ([]byte, error)
- func NewClientTLSFromFiles(servercert, clientcert, clientkey string) (credentials.TransportCredentials, error)
- func NewKey(bits int) (*rsa.PrivateKey, error)
- func NewSerial() (*big.Int, error)
- func NewTemplate() *x509.Certificate
- func PrivateKeyPEM(key *rsa.PrivateKey) []byte
- func PublicKeyPEM(key *rsa.PublicKey) ([]byte, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HashSubjectKeyID ¶
HashSubjectKeyID returns the hash for a public key.
func LoadCRLFromPEM ¶
func LoadCRLFromPEM(path string) (*pkix.CertificateList, error)
LoadCRLFromPEM returns an x509 CertificateList.
func LoadCSRFromPEM ¶
func LoadCSRFromPEM(path string) (*x509.CertificateRequest, error)
LoadCSRFromPEM returns an x509 CertificateRequest.
func LoadCertFromPEM ¶
LoadCertFromPEM returns the raw bytes of a certificate.
func LoadPrivateKeyFromPEM ¶
func LoadPrivateKeyFromPEM(path string) (*rsa.PrivateKey, error)
LoadPrivateKeyFromPEM returns a parsed private key structure.
func LoadPublicKeyFromPEM ¶
LoadPublicKeyFromPEM returns a parsed private key structure.
func NewCA ¶
func NewCA(key *rsa.PrivateKey, cn string) ([]byte, error)
NewCA creates a new certificate authority which further client certificates can be generated with.
func NewCRL ¶
func NewCRL(key *rsa.PrivateKey, cert []byte, list []pkix.RevokedCertificate) ([]byte, error)
NewCRL creates a new certificate revocation list.
func NewCSR ¶
func NewCSR(key *rsa.PrivateKey, cn string) ([]byte, error)
NewCSR creates a new certificate signing request.
func NewClientCert ¶
func NewClientCert(authkey *rsa.PrivateKey, hostkey *rsa.PrivateKey, cn string, ca []byte, csr *x509.CertificateRequest) ([]byte, error)
NewClientCert makes certificates for client authentication.
func NewClientTLSFromFiles ¶ added in v0.3.0
func NewClientTLSFromFiles(servercert, clientcert, clientkey string) (credentials.TransportCredentials, error)
NewClientTLSFromFiles is an improved version of gRPC's NewClientTLSFromFile which also loads the root certificate for the certificate authority so that connections actually work with verification.
func NewKey ¶
func NewKey(bits int) (*rsa.PrivateKey, error)
NewKey creates a new RSA key for certificate generation and signing.
func NewTemplate ¶
func NewTemplate() *x509.Certificate
NewTemplate for server and client certificates.
func PrivateKeyPEM ¶
func PrivateKeyPEM(key *rsa.PrivateKey) []byte
PrivateKeyPEM converts a private key to PEM format.
Types ¶
This section is empty.
Source Files