{"id":24037066,"url":"https://github.com/arthurtsang/simpleca","last_synced_at":"2026-04-07T19:31:30.734Z","repository":{"id":74178284,"uuid":"492113918","full_name":"arthurtsang/simpleCA","owner":"arthurtsang","description":"A simple CA server to create multiple intermediate CAs and generate certs, keystore, truststore with simple API","archived":false,"fork":false,"pushed_at":"2022-05-14T07:12:55.000Z","size":22,"stargazers_count":5,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-01T21:53:19.535Z","etag":null,"topics":["certificate","certificateauthority","crl","ocsp","ocsp-responder","openssl","tls"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arthurtsang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-14T04:43:13.000Z","updated_at":"2025-12-21T06:00:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"5a6db6d4-9a64-45e7-9c0f-fe95489aa30f","html_url":"https://github.com/arthurtsang/simpleCA","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/arthurtsang/simpleCA","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurtsang%2FsimpleCA","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurtsang%2FsimpleCA/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurtsang%2FsimpleCA/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurtsang%2FsimpleCA/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arthurtsang","download_url":"https://codeload.github.com/arthurtsang/simpleCA/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arthurtsang%2FsimpleCA/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31526665,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"ssl_error","status_checked_at":"2026-04-07T16:28:06.951Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","certificateauthority","crl","ocsp","ocsp-responder","openssl","tls"],"created_at":"2025-01-08T19:37:40.550Z","updated_at":"2026-04-07T19:31:30.702Z","avatar_url":"https://github.com/arthurtsang.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SimpleCA\n\n## Overview\n\nIntended for development to quickly setup a CA, with CRL and OCSP responder to test TLS/SSL setup.\n\nOpenSSL is great, but to create an environment for a multi-level CA to sign a few certs and revoke them requires a lot of commands and knowledge.\nThis project tries to encapsulate most of the complexity by calling the OpenSSL commands behind a few simple API.\n\n## Features\n2. generate root cert (auto during first start)\n3. generate intermediate CA (to sign leave cert or another intermediate?  client auth?)\n4. generate leave cert (client auth? localhost?)\n5. serve CRL\n6. start ocsp with openssl\n7. download keystore and trust store\n8. use json editor for UI? (Not yet done)\n\n## Directory Structure\n\n```\n/simpleca\n  /rootca\n    ca.conf\n    rootca.crl\n    /certs\n      inter1.crt\n  /inter1\n    ca.conf\n    inter1.crl\n    /certs\n      inter2.crt\n  /inter2\n    ca.conf\n    inter2.crl\n    /certs\n      server.crt\n      client.crt\n  /server\n    server.crt\n  /client\n    client.crt\n```\n\n## Configuration\n\n* application.yaml\n```yaml\nserver:\n  port: 4000\nsimpleca:\n  hostname: localhost\n  caPath: ./myca\n  opensslPath: /usr/bin\n  defaultPassword: changeit\n  recreate: false\n  ocspPort: 5000\n```\n\nThe default application.yaml is embedded in the jar file, all values can be overridden with normal [Spring Boot Externalized Configuration](https://docs.spring.io/spring-boot/docs/2.1.8.RELEASE/reference/html/boot-features-external-config.html)\n\n* example.yaml\n\n```yaml\nsimpleca:\n  rootca:\n    relativePath: rootca\n    keySize: 2048\n    days: 1826\n    pathLenConstraint: 2\n    caConstraint: true\n    subject: /C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=Root CA\n    ca:\n      - name: inter1\n        relativePath: inter1\n        keysize: 2048\n        days: 1826\n        subject: /C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=Inter1 CA\n        caConstraint: true\n        keyUsage: digitalSignature,keyEncipherment,cRLSign,keyCertSign\n        ca:\n          - name: inter1a\n            relativePath: inter1a\n            keySize: 8192\n            days: 1826\n            caConstraint: false\n            clientAuth: true\n            subjectAltName:\n              - DNS.0 = localhost\n              - IP.0 = 127.0.0.1\n            subject: /C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=Inter1a CA\n            keyUsage: digitalSignature,keyEncipherment\n            certs:\n              - name: server\n                keySize: 2048\n                subject: /C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=server\n                relativePath: server\n              - name: client1\n                keySize: 2048\n                subject: /C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=client1\n                relativePath: client1\n              - name: client2\n                keySize: 2048\n                subject: /C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=client2\n                revoked: true\n                relativePath: client2\n      - name: inter2\n        relativePath: inter2\n        keysize: 2048\n        days: 1826\n        subject: /C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=Inter2 CA\n        caConstraint: false\n        keyUsage: digitalSignature,keyEncipherment\n\n```\n\nThe above is an example of structure of the CA and certificates.\nIt is passed into the application with\n```shell\n--spring.location.config=classpath:/application.yaml,./src/test/resources/example.yaml\n```\nThus, everytime the server starts up, it will make sure all files are there (you might have to download the keystore/truststore if they are regenerated).\n\nTo add a CA or generate a certificate, you can manually edit this file and restart the server or call the API.\n\nNote: the `example.yaml` can be named anything, as long as it is the first non-classpath yaml in the spring.location.config settings.\nNote2: the `example.yaml` cannot be combined with the `application.yaml` as the API calls will rewrite the file, any settings not `simpleca.rootca` will be lost.\n\n## API\n\n- `GET /api/ca` - return a list of all CA\n- `GET /api/ca/{name}` - return details of the named CA\n- `POST /api/ca/{signingCaName}` - create a new CA and sign the cert with `signingCaName` CA\n- `POST /api/cert/{signingCaName}` - generate a certificate signed by the `signingCaName` CA\n- `DELETE /api/cert/{signingCaName}/{certName}` - revoke a certificate\n- `GET /api/cert/{caName}/keystore` - download keystore (it has the private key of the certificate and the chain certificates)\n- `GET /api/cert/{caName}/truststore` - download truststore (it only contains the root CA cert)\n\n### Post data to create a new CA\n\n```json\n{\n  \"name\": \"inter1b\",\n  \"keySize\": 8192,\n  \"days\": 1826,\n  \"caConstraint\": false,\n  \"clientAuth\": true,\n  \"subject\": \"/C=US/ST=California/L=San Francisco/O=Youramaryllis/CN=Inter1b CA\",\n  \"keyUsage\": \"digitalSignature,keyEncipherment\"\n}\n```\n\n### Post data to generate a new certificate\n\n```json\n{\n  \"name\": \"client4\",\n  \"keySize\": 4096,\n  \"subject\": \"/C=US/ST=Claifornia/L=San Francisco/O=Youramaryllis/CN=client4\"\n}\n```\n\n## CRL\n\nAll CRL files are served `http://{host}:{port}/ca/{path}/{fileName}`,\n\n| param | desc |\n| --- | --- |\n| host | host name as defined in application.yaml |\n| port | port number as defined in application.yaml |\n| path | relativePath,defined per CA |\n| fileName | the crl filename, it's the name of the CA with `crl` as extension |\n\n## OCSP\n\nThe caIssuers has the same format as CRL, except the extension is `crt`.\nOCSP Responder is using `OpenSSL ocsp ... -port {ocspPort}` where ocspPort is defined in the application.yaml\n\n## To Start the Server\n\nrun ```java -ea -jar simpleCA-1.0.0-SNAPSHOT.jar --spring.config.location=classpath:/application.yaml,../src/test/resources/example.yaml```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farthurtsang%2Fsimpleca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farthurtsang%2Fsimpleca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farthurtsang%2Fsimpleca/lists"}