Command-line utility for managing PKI certificates written in Go.
🔐 Manage Your Public Key Infrastructure
Perform many common tasks necessary for setting up your PKI infrastructure.
- Generate signing requests
- Generate authority certificates
- Generate client certificates
- Build certificate chains
- Verify certificate root, chain & hosts
- Trust certificates
✨ Simple, Intuitive API
A goal of this project is to make PKI simple and approachable.
Please don't hesitate to submit an issue or open a pull request with your suggestions
📈 ECDSA Elliptic Curve Support
Certificates can be signed using ECDSA Elliptic Curves:
| Standard | Description |
|---|---|
| P-224 | Uses a curve which "implements NIST P-224 (FIPS 186-3, section D.2.2)" |
| P-256 | Uses a curve which "implements NIST P-256 (FIPS 186-3, section D.2.3)" |
| P-384 | Uses a curve which "implements NIST P-384 (FIPS 186-3, section D.2.4)" |
| P-521 | Uses a curve which "implements NIST P-521 (FIPS 186-3, section D.2.5)" |
Be sure to check if the chosen elliptic curve is supported for your use case
For example: Chrome 42.x does not support P-521
📉 ED25519 Support
A certificate can be signed with a key using the ED25519 signature algorithm.
Be sure to check if your use case supports ED25519 (good reference).
Prebuilt Binaries
You can download pre-built binaries for your operating system on the Releases page.
Homebrew
The acert package is included in the lstellway/formulae tap.
To install with homebrew, tap the tap:
brew tap lstellway/formulaeUpdate taps and install the formula:
brew update \
&& brew install lstellway/formulae/acertOptionally test the installation:
brew test lstellway/formulae/acert...and enjoy the brew 🍻
Build From Source
To build from source:
- install and configure Go on the system.
- Download the repository
- Run
make buildto build the binary:
git clone https://github.com/lstellway/acert.git \
&& cd acert \
&& make buildThis will output the acert binary in the directory.
Be sure to move it into a directory included in your PATH environment variable.
# Build a self-signed certificate authority with "local-root" as the subject alternative name
acert authority -san 'local-root'
# Use ECDSA elliptic curves
acert authority -ecdsa -san 'local-root'
# Trust the authority certificate
acert trust local-root.ca.cert.pem
# Create a certificate chain by signing another authority
acert authority -parent local-root.ca.cert.pem -key local-root.ca.key.pem -san 'local-intermediate'
# Sign a client certificate with the intermediate certificate
acert client -parent local-intermediate.ca.cert.pem -key local-intermediate.ca.key.pem -san 'test.com,*.test.com'
# Verify that the certificate is setup as expected
acert verify -root local-root.ca.cert.pem -intermediate local-intermediate.ca.cert.pem -hosts 'test.com,*.test.com' test.com.cert.pemIf you ever need help with a command, simply run the help subcommand:
# Main help page
acert help
# Authority help page
acert authority helpA test/ directory has also been added with an example for testing your certificate with NGINX on Docker.
More help documentation coming soon...
To show the current version of acert, run:
acert versionFormat
Versions will be in the year.month[.revision][-stage] format. Examples:
2021.09.1
2021.10.1-alpha
2021.10.1-beta
2021.10.1-rc
...- Mozilla SSL Configuration Generator
- Put your certificates to work! This tool will help you build SSL configurations for many popular software.
- Wikipedia