simplcert

README

SimplCERT

The certificate manager is meant to easily generate keys pairs for mTLS purposes. It will generate it's own root certificate and use that to sign server and client certificates that can later be used to secure gRPC over mTLS for instance.

Usage

Exporting the root certificate path is handy so you don't have to provide it to every call

$ export SCM_ROOT_CERT_PATH=/path/to/directory/for/root/cert

verify will check if the root certificate exists and if not, will create one

$ simplcert verify

root-crt will display the root certificate as PEM encoded string to the terminal.

$ simplcert root-crt

create will create a certificate. You can use CLI flags or just run create and fill in the prompts. It is important to know the --host flag needs to be set to the domain name where the service will be reached. Or, if Docker is used, the --host flag should be set to the name of the docker container.

$ simplcert create \
  --root-cert-path /path/to/root-ca \
  --host hostname.tld \
  --name "My server" \
  --days-valid 30 \
  --ecdsa \
  --is-server

Usage examples

See examples folder for some examples:

• Go server/client
• Rust server/client

Roadmap

Status	Target	Description
✓	Add examples	Have an example folder displaying a working setup
✓	Add more signing options	RSA, DSA etc. (now only ecdsa is supported
✓	Write output to file	Add additional flag to write output to file instead of stdout
✓	Add Rust example	Add an example on how to use the certs in a Rust gRPC application
Open	Add leaf certs	Cross sign with dedicated leaf certs for server and client validations

Documentation

Index

• Constants
• func CreateRootCAFiles(certType CertType, outPath string) (err error)
• func EncodeCertificate(rawBytes []byte) []byte
• func EncodePrivateKey(rawBytes []byte) []byte
• func EncodePublicKey(rawBytes []byte) []byte
• type CertConfig
• type CertType
• type Manager
  • func NewManager(certsPath string) (*Manager, error)
  • func (m *Manager) CaPool() *x509.CertPool
  • func (m *Manager) CreateNamedCert(cfg CertConfig) (*x509.Certificate, crypto.Signer, []byte, error)
  • func (m *Manager) MarshalPrivateKey(key crypto.PrivateKey) ([]byte, error)
  • func (m *Manager) RootCrt() *x509.Certificate
  • func (m *Manager) RootPEM() []byte

Constants

const NoCertsError = internalError("no root certificates found")

Functions

func CreateRootCAFiles

func CreateRootCAFiles(certType CertType, outPath string) (err error)

func EncodeCertificate

func EncodeCertificate(rawBytes []byte) []byte

func EncodePrivateKey

func EncodePrivateKey(rawBytes []byte) []byte

func EncodePublicKey

func EncodePublicKey(rawBytes []byte) []byte

Types

type CertConfig

type CertConfig struct {
	Name string
	Host string

	IsCA         bool
	IsServer     bool
	Country      string
	Organization string
	OutputPath   string
	OutputName   string
	CertType     CertType
	NotAfter     time.Time
	// contains filtered or unexported fields
}

type CertType

type CertType int

const (
	TypeECDSA CertType = iota
	TypeRSA
	TypeED25519
)

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager

func NewManager(certsPath string) (*Manager, error)

func (*Manager) CaPool

func (m *Manager) CaPool() *x509.CertPool

func (*Manager) CreateNamedCert

func (m *Manager) CreateNamedCert(cfg CertConfig) (*x509.Certificate, crypto.Signer, []byte, error)

CreateNamedCert will return raw TLS certificate, Private key and Public key bytes

func (*Manager) MarshalPrivateKey

func (m *Manager) MarshalPrivateKey(key crypto.PrivateKey) ([]byte, error)

func (*Manager) RootCrt

func (m *Manager) RootCrt() *x509.Certificate

func (*Manager) RootPEM

func (m *Manager) RootPEM() []byte