{"id":18709440,"url":"https://github.com/joemiller/certsponge","last_synced_at":"2025-06-11T10:34:01.605Z","repository":{"id":39610744,"uuid":"506799582","full_name":"joemiller/certsponge","owner":"joemiller","description":"Utility for splitting Vault's PKI output into one or more files containing the private key, certificate, and CA data","archived":false,"fork":false,"pushed_at":"2022-06-26T19:17:42.000Z","size":26,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-15T08:56:04.101Z","etag":null,"topics":["mtls","pki","tls","vault"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joemiller.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-23T21:42:43.000Z","updated_at":"2023-08-30T05:32:35.000Z","dependencies_parsed_at":"2022-09-20T06:13:24.789Z","dependency_job_id":null,"html_url":"https://github.com/joemiller/certsponge","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fcertsponge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fcertsponge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fcertsponge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fcertsponge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joemiller","download_url":"https://codeload.github.com/joemiller/certsponge/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239571817,"owners_count":19661230,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["mtls","pki","tls","vault"],"created_at":"2024-11-07T12:27:35.090Z","updated_at":"2025-02-19T00:22:16.898Z","avatar_url":"https://github.com/joemiller.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# certsponge\n\nUtility for splitting Vault's PKI output into one or more files containing the private key, certificate, and CA data.\n\nCreates `tls.pem` and `ca.crt`:\n\n```console\nvault write pki -format=json pki/issue/rolename common_name=web.dom.tld | certsponge\n```\n\nOverride default behavior with flags. `certsponge -h` for usage:\n\n```console\nvault write -format=json pki/issue/rolename common_name=web.dom.tld \\\n  | certsponge \\\n    -bundle \"\" \\\n    -key tls.key \\\n    -cert tls.crt \\\n    -ca-cert ca.crt\n```\n\n## Install\n\n* Install latest using `go install`: `go install github.com/joemiller/certsponge@latest`\n\n* macOS Homebrew/Linuxbrew: `brew install joemiller/taps/certsponge`\n\n* Pre-built binaries and packages are available for various platforms on the [GitHub Releases](https://github.com/joemiller/certsponge/releases) page.\n\n* Docker images are available on [ghcr.io](https://github.com/joemiller/certsponge/pkgs/container/certsponge).\n\n## Usage\n\n`certsponge` expects to receive the JSON output from `vault write pki/issue/...`:\n\n```console\nvault write pki -format=json pki/issue/rolename common_name=web.dom.tld | certsponge\n```\n\nBy default the output is saved into two files in the current directory:\n\n- `tls.pem`: Contains `private_key`, `certificate`, and `ca_chain` (in that order).\n- `ca.crt`: Contains `ca_chain`.\n\nThis behavior can be changed via flags. Run with `-h` for usage.\n\n\nFiles containing `private_key` are always created with mode `0600`.\n\nFiles containing only non-sensitive data (`certificate` and `ca_chain`) are created with mode `0644`.\n\nExisting files will not be overwritten unless `-f` flag is specified.\n\n## Motivation\n\nI got tired of writing blocks like this (and many other variations) in scripts:\n\n```sh\nout=$(vault write -format=json pki/issue/myrole common_name=foo)\nkey=$(jq -r '.data.private_key' \u003c\u003c\u003c\"$out\")\ncert=$(jq -r '.data.certificate' \u003c\u003c\u003c\"$out\")\nca=$(jq -r '.data.ca_chain' \u003c\u003c\u003c\"$out\")\n{\n  echo \"$key\"\n  echo \"$cert\"\n  echo \"$ca\"\n} \u003etls.pem\n```\n\n## Similar Tools\n\n- [vaultbot](https://gitlab.com/msvechla/vaultbot) is an excellent tool that implements the full\nend-to-end process of requesting certs from Vault and writing them to files. It also handles\nrenewals. `certsponge` is not trying to do all of that, it's only goal is split the output\nfrom the `vault` CLI into files.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemiller%2Fcertsponge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoemiller%2Fcertsponge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemiller%2Fcertsponge/lists"}