Giter Club home page Giter Club logo

generate-tls-cert's Introduction

Better self-signed certificates

Here's a script that helps you generate self signed certificates. It will generate both a root certificate and a leaf.

(The TLS certificates generated by crypto/tls/generate_cert.go act both as a CA and as a leaf certificate. Some TLS clients have a problem with that scheme.)

This script modifies crypto/tls/generate_cert.go slightly:

  • A leaf certificate and a root certificate are generated.

  • the only supported key type is ecdsa P256.

  • Better usage instructions are generated.

Credit comes from Adam Langley, who provided the initial version of this script on a golang-nuts message thread.

Installation

go get github.com/Shyp/generate-tls-cert

Usage

Running generate-tls-cert will give you nine files. Three of them are the most important:

  • root.pem: The public key of the root CA. Add this as a CA in clients to connect to your self-signed server (see "Client" below).

  • leaf.key and leaf.pem - The public and private key for terminating TLS with your self signed certificate.

$ generate-tls-cert --host=localhost,127.0.0.1
Successfully generated certificates! Here's what you generated.

# Root CA

root.key
	The private key for the root Certificate Authority. Keep this private.

root.pem
	The public key for the root Certificate Authority. Clients should load the
	certificate in this file to connect to the server.

root.debug.crt
	Debug information about the generated certificate.

# Leaf Certificate - Use these to serve TLS traffic.

leaf.key
	Private key (PEM-encoded) for terminating TLS traffic on the server.

leaf.pem
	Public key for terminating TLS traffic on the server.

leaf.debug.crt
	Debug information about the generated certificate

# Client Certificate - You probably don't need these.

client.key: Secret key for TLS client authentication
client.pem: Public key for TLS client authentication

Add the following instructions to your Makefile, and all your users will have to do to get started is run make generate_cert to download the binary and load TLS certificates.

GENERATE_TLS_CERT = $(GOPATH)/bin/generate-tls-cert

$(GENERATE_TLS_CERT):
	go get -u github.com/Shyp/generate-tls-cert

certs/leaf.pem: | $(GENERATE_TLS_CERT)
	mkdir -p certs
	cd certs && $(GENERATE_TLS_CERT) --host=localhost,127.0.0.1

# Generate TLS certificates for local development.
generate_cert: certs/leaf.pem | $(GENERATE_TLS_CERT)

Client Side

Here's how to make requests that validate, using your new TLS certificates.

Go

rootPEM, err := ioutil.ReadFile("path/to/root.pem")
if err != nil {
	log.Fatal(err)
}
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM(rootPEM)
if !ok {
	panic("failed to parse root certificate")
}

// Use the tls.Config here in http.Transport.TLSClientConfig
conn, err := tls.Dial("tcp", "yourhost:yourport", &tls.Config{
    RootCAs: roots,
})
if err != nil {
    panic("failed to connect: " + err.Error())
}
conn.Close()

Javascript

var fs = require('fs');
var https = require('https');

var get = https.request({
  path: '/', hostname: 'yourhost', port: yourport,
  ca: fs.readFileSync('path/to/root.pem'),
  agent: false,
  rejectUnauthorized: true,
}, function(response) {
  response.on('data', (d) => {
    process.stdout.write(d);
  });
});

get.on('error', function(e) {
  console.error(e)
  console.error("error", e)
  console.error("error", JSON.stringify(e))
});

get.end();

Curl

curl --cacert path/to/root.pem https://yourhost:yourport

Python Requests

import requests

r = requests.get("https://yourhost:yourport", verify='root.pem')
print(r.status_code)

OpenSSL

openssl s_client -showcerts -servername localhost -CAfile path/to/root.pem -connect yourhost:yourport

Server Side

Here's how to integrate the generated certificates into different server architectures.

Go

Start the Go server with the leaf public and private keys.

http.ListenAndServeTLS(":7252", "leaf.pem", "leaf.key", nil)

Node.js

Start a Node server with the leaf public and private keys.

const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('leaf.key'),
  cert: fs.readFileSync('leaf.pem'),
};

https.createServer(options, (req, res) => {
  res.writeHead(200);
  res.end('hello world\n');
}).listen(8000);

generate-tls-cert's People

Contributors

kevinburkeshyp avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.