README
¶
🔒 Certify
Certify is an easy-to-use certificate manager and can be used as an alternative to OpenSSL. With Certify you can create your own private CA (Certificate Authority) and issue certificates with your own CA.
Feature
- Create a CA and intermediate CA
- Issue certificate with custom common name, ip san, dns san, expiry date, and extended key usage
- Show certificate information from file or remote host
- Export certificate to PKCS12 format
- Verify private key matches with certificate
- Revoke certificate
Installation
Download in the release page
Usage
_ _ ___
___ ___ ___| |_|_| _|_ _
| _| -_| _| _| | _| | |
|___|___|_| |_| |_|_| |_ |
|___| Certify v1.x
Usage of certify:
certify [flag] [ip-or-dns-san] [cn:default certify] [eku:default serverAuth,clientAuth] [expiry:default 8766h s,m,h,d]
$ certify server.local 172.17.0.1 cn:web-server eku:serverAuth expiry:1d
$ certify -init cn:web-server o:nothinux crl-nextupdate:100d
Flags:
-init
Initialize new root CA Certificate and Key
-intermediate
Generate intermediate certificate
-read <filename>
Read certificate information from file or stdin
-read-crl <filename>
Read certificate revocation list from file or stdin
-connect <host:443> <tlsver:1.2> <insecure> <with-ca:ca-path>
Show certificate information from remote host, use tlsver to set spesific tls version
-export-p12 <cert> <private-key> <ca-cert>
Generate client.p12 pem file containing certificate, private key and ca certificate
-match <private-key> <cert>
Verify cert-key.pem and cert.pem has same public key
-interactive
Run certify interactively
-revoke <certificate> <crl-file> <crl-nextupdate:10d(optional)>
Revoke certificate, the certificate will be added to CRL
-verify-crl <certificate> <crl-file>
Check if the certificate was revoked
-version
print certify version
Create Certificate with CN nothinux and expiry 30 days
# create CA
$ certify -init cn:nothinux o:nothinux
# create Certificate
$ certify cn:nothinux expiry:30d
Create Certificate interactively
$ certify -interactive
Read Certificate
$ certify -read ca-cert.pem
or
$ cat ca-cert.pem | certify -read
Use Certify as library
You can also use certify as library for your Go application
Installation
go get github.com/nothinux/certify
Documentation
see pkg.go.dev
Example
Create Private Key and CA Certificates
package main
import (
"crypto/x509/pkix"
"log"
"os"
"time"
"github.com/nothinux/certify"
)
func main() {
p, err := certify.GetPrivateKey()
if err != nil {
log.Fatal(err)
}
if err := os.WriteFile("CA-key.pem", []byte(p.String()), 0640); err != nil {
log.Fatal(err)
}
// create ca
template := certify.Certificate{
Subject: pkix.Name{
Organization: []string{"certify"},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(8766 * time.Hour),
IsCA: true,
}
caCert, err := template.GetCertificate(p.PrivateKey)
if err != nil {
log.Fatal(err)
}
if err := os.WriteFile("CA-cert.pem", []byte(caCert.String()), 0640); err != nil {
log.Fatal(err)
}
}
License
Documentation
¶
Index ¶
- func CRLInfo(rl *x509.RevocationList) string
- func CertInfo(cert *x509.Certificate) string
- func GetPublicKey(pub interface{}) (string, error)
- func GetSerial() (*big.Int, error)
- func ParseCRL(crl []byte) (*x509.RevocationList, error)
- func ParseCertificate(cert []byte) (*x509.Certificate, error)
- func ParsePrivateKey(pkey []byte) (*ecdsa.PrivateKey, error)
- type CertRevocationList
- type Certificate
- type PrivateKey
- type Result
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CRLInfo ¶ added in v1.8.0
func CRLInfo(rl *x509.RevocationList) string
func CertInfo ¶ added in v1.2.0
func CertInfo(cert *x509.Certificate) string
CertInfo returns certificate information
func GetPublicKey ¶
GetPublicKey returns string of pem encoded structure from given public key
func ParseCertificate ¶
func ParseCertificate(cert []byte) (*x509.Certificate, error)
ParseCertificate returns parsed certificate and error
func ParsePrivateKey ¶
func ParsePrivateKey(pkey []byte) (*ecdsa.PrivateKey, error)
ParsePrivatekey parse given []byte private key to struct *ecdsa.PrivateKey
Types ¶
type CertRevocationList ¶ added in v1.8.0
type CertRevocationList struct {
Byte []byte
}
CertRevocationList hold certificate revocation list
func CreateCRL ¶ added in v1.8.0
func CreateCRL(pkey *ecdsa.PrivateKey, caCert *x509.Certificate, crl *x509.RevocationList, nextUpdate time.Time) (*CertRevocationList, *big.Int, error)
CreateCRL Create certificate revocation list
func RevokeCertificate ¶ added in v1.8.0
func RevokeCertificate(crl []byte, cert *x509.Certificate, caCert *x509.Certificate, pkey *ecdsa.PrivateKey, nextUpdate time.Time) (*CertRevocationList, *big.Int, error)
func (*CertRevocationList) String ¶ added in v1.8.0
func (c *CertRevocationList) String() string
String return string of certificate revocation list in pem encoded format
type Certificate ¶
type Certificate struct {
SerialNumber *big.Int
Subject pkix.Name
NotBefore time.Time
NotAfter time.Time
IPAddress []net.IP
DNSNames []string
IsCA bool
Parent *x509.Certificate
ParentPrivateKey interface{}
KeyUsage x509.KeyUsage
ExtentedKeyUsage []x509.ExtKeyUsage
SubjectKeyId []byte
AuthorityKeyId []byte
}
Certificate hold certificate information
func (*Certificate) GetCertificate ¶
func (c *Certificate) GetCertificate(pkey *ecdsa.PrivateKey) (*Result, error)
GetCertificate generate certificate and returns it in Result struct
func (*Certificate) SetTemplate ¶
func (c *Certificate) SetTemplate() x509.Certificate
SetTemplate set template for x509.Certificate from given Certificate struct
type PrivateKey ¶
type PrivateKey struct {
*ecdsa.PrivateKey
}
PrivateKey hold private key
func GetPrivateKey ¶
func GetPrivateKey() (*PrivateKey, error)
GetPrivateKey returns struct PrivateKey containing the private key
func (*PrivateKey) String ¶
func (p *PrivateKey) String() string
String returns string of private key in pem encoded format
Source Files
Directories