Need help with generate-tls-cert?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

Shyp
134 Stars 20 Forks 8 Commits 3 Opened issues

Description

Generating self signed certificates

Services available

!
?

Need anything else?

Contributors list

No Data

Better self-signed certificates

Here's a script that helps you generate self signed certificates. It will generate both a root certificate and a leaf.

(The TLS certificates generated by

crypto/tls/generate_cert.go
act both as a CA and as a leaf certificate. Some TLS clients have a problem with that scheme.)

This script modifies

crypto/tls/generate_cert.go
slightly:
  • A leaf certificate and a root certificate are generated.

  • the only supported key type is ecdsa P256.

  • Better usage instructions are generated.

Credit comes from Adam Langley, who provided the initial version of this script on a golang-nuts message thread.

Installation

go get github.com/Shyp/generate-tls-cert

Usage

Running

generate-tls-cert
will give you nine files. Three of them are the most important:
  • root.pem
    : The public key of the root CA. Add this as a CA in clients to connect to your self-signed server (see "Client" below).
  • leaf.key
    and
    leaf.pem
    - The public and private key for terminating TLS with your self signed certificate.
$ generate-tls-cert --host=localhost,127.0.0.1
Successfully generated certificates! Here's what you generated.

Root CA

root.key The private key for the root Certificate Authority. Keep this private.

root.pem The public key for the root Certificate Authority. Clients should load the certificate in this file to connect to the server.

root.debug.crt Debug information about the generated certificate.

Leaf Certificate - Use these to serve TLS traffic.

leaf.key Private key (PEM-encoded) for terminating TLS traffic on the server.

leaf.pem Public key for terminating TLS traffic on the server.

leaf.debug.crt Debug information about the generated certificate

Client Certificate - You probably don't need these.

client.key: Secret key for TLS client authentication client.pem: Public key for TLS client authentication

Add the following instructions to your Makefile, and all your users will have to do to get started is run

make generate_cert
to download the binary and load TLS certificates.
GENERATE_TLS_CERT = $(GOPATH)/bin/generate-tls-cert

$(GENERATE_TLS_CERT): go get -u github.com/Shyp/generate-tls-cert

certs/leaf.pem: | $(GENERATE_TLS_CERT) mkdir -p certs cd certs && $(GENERATE_TLS_CERT) --host=localhost,127.0.0.1

Generate TLS certificates for local development.

generate_cert: certs/leaf.pem | $(GENERATE_TLS_CERT)

Client Side

Here's how to make requests that validate, using your new TLS certificates.

Go

rootPEM, err := ioutil.ReadFile("path/to/root.pem")
if err != nil {
    log.Fatal(err)
}
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM(rootPEM)
if !ok {
    panic("failed to parse root certificate")
}

// Use the tls.Config here in http.Transport.TLSClientConfig conn, err := tls.Dial("tcp", "yourhost:yourport", &tls.Config{ RootCAs: roots, }) if err != nil { panic("failed to connect: " + err.Error()) } conn.Close()

Javascript

var fs = require('fs');
var https = require('https');

var get = https.request({ path: '/', hostname: 'yourhost', port: yourport, ca: fs.readFileSync('path/to/root.pem'), agent: false, rejectUnauthorized: true, }, function(response) { response.on('data', (d) => { process.stdout.write(d); }); });

get.on('error', function(e) { console.error(e) console.error("error", e) console.error("error", JSON.stringify(e)) });

get.end();

Curl

curl --cacert path/to/root.pem https://yourhost:yourport

Python Requests

import requests

r = requests.get("https://yourhost:yourport", verify='root.pem') print(r.status_code)

OpenSSL

openssl s_client -showcerts -servername localhost -CAfile path/to/root.pem -connect yourhost:yourport

Server Side

Here's how to integrate the generated certificates into different server architectures.

Go

Start the Go server with the leaf public and private keys.

http.ListenAndServeTLS(":7252", "leaf.pem", "leaf.key", nil)

Node.js

Start a Node server with the leaf public and private keys.

const https = require('https');
const fs = require('fs');

const options = { key: fs.readFileSync('leaf.key'), cert: fs.readFileSync('leaf.pem'), };

https.createServer(options, (req, res) => { res.writeHead(200); res.end('hello world\n'); }).listen(8000);

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.