{"id":22911993,"url":"https://github.com/opencoff/certik","last_synced_at":"2025-05-09T01:33:40.434Z","repository":{"id":64300031,"uuid":"205496063","full_name":"opencoff/certik","owner":"opencoff","description":"opinionated TLS client \u0026 server PKI management tool","archived":false,"fork":false,"pushed_at":"2025-01-08T18:18:42.000Z","size":43,"stargazers_count":26,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-31T20:39:13.136Z","etag":null,"topics":["ca","local-ca","pki","pki-applications","pki-tools","self-signed-certificate","ssl-cert","tls-certificate","tls-support"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opencoff.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-31T04:41:56.000Z","updated_at":"2025-03-30T22:34:20.000Z","dependencies_parsed_at":"2023-12-20T10:35:11.610Z","dependency_job_id":"c2f59f73-c522-45ba-b846-a5d4ba8b264d","html_url":"https://github.com/opencoff/certik","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Fcertik","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Fcertik/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Fcertik/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opencoff%2Fcertik/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opencoff","download_url":"https://codeload.github.com/opencoff/certik/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253174371,"owners_count":21865852,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ca","local-ca","pki","pki-applications","pki-tools","self-signed-certificate","ssl-cert","tls-certificate","tls-support"],"created_at":"2024-12-14T04:19:29.808Z","updated_at":"2025-05-09T01:33:40.403Z","avatar_url":"https://github.com/opencoff.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## TL;DR\nThis is an opinionated single-file TLS certificate manager.\nIt has _no_ dependencies on any other external tool\nsuch as openssl. It is a simpler replacement for openssl(1).\n\n## Features\n* Uses a single [boltdb](https://github.com/etcd/bbolt) instance to store the\n  certificates and keys.\n* All data strored in the database is encrypted with keys derived from a user\n  supplied CA passphrase.\n* The certificates and keys are opinionated:\n   * Secp256k1 EC certificate private keys\n   * \"SSL-Server\" attribute set on server certificates (nsCertType)\n   * \"SSL-Client\" attribute set on client certificates (nsCertType)\n   * ECDSA with SHA512 is used as the signature algorithm\n\n## Building certik\nYou will need a fairly recent golang toolchain (\u003e1.10):\n\n    $ git clone https://github.com/opencoff/certik\n    $ cd certik\n    $ ./build -s\n\nThe build script puts the binary in a platform specific directory:\n\n* macOS: `bin/darwin-amd64`\n* Linux: `bin/linux-amd64`\n* OpenBSD: `bin/openbsd-amd64`\n\nAnd so on. The build script can generate a fully standalone\nstatically-linked binary on platforms that support it. To build\nstatically linked binaries, use `build -s`.\n\nYou can also do cross-platform builds for any supported OS, Arch\ncombination supported by the golang toolchain. e.g., on macOS,\nto build a statically linked binary for linux-amd64 architecture:\n\n    $ ./build -s --arch linux-amd64\n\n## Invoking certik\nThe common pattern for invoking certik is:\n\n    certik DB CMD [options] [arguments]\n\nWhere:\n* *DB* is the name of the certificate store (database). This is a\n  [boltdb](https://github.com/etcd/bbolt) instance.\n\n* *CMD* is a command - one of `init`, `server`, `client`, `export`,\n  `list`, `delete`, `crl`.\n\nThe tool writes the certificates, keys into an encrypted boltdb instance.\n\nThe tool comes with builtin help:\n\n    $ ./bin/openbsd-amd64/certik --help\n\nEvery subcommand comes with its own help; but, requires you to at least\nsupply a database name as the first argument. e.g.,\n\n    $ ./bin/openbsd-amd64/certik foo.db server --help\n\n## Common Workflows\nIn what follows, we will assume that you have built certik and\ninstalled somewhere in your `$PATH`.\n\n### Initialize a new CA\nBefore any certificates are generated, one must first create a CA and\ninitialize the certificate DB:\n\n    $ certik -v foo.db init my-CA\n\nYou can optionally initialize a CA from a previously exported JSON\ndump:\n\n    $ certik -v foo.db init --from-json FILE\n\nYou can see the generated CA certificate via two ways:\n\n1. Using `-v` for the certik's global options\n2. Using the `list` command with the `--root-ca` option.\n\nIn general, using the `-v` global option when generating the CA, server\nor client certificates will print the certificate to stdout at the end.\n\nThe CA can be initialized with additional data such as Organization Name,\nOrganization Unit Name etc. See `init --help` for additional details.\n\nThe default lifetime of the CA is 5 years; you can change this via\nthe `-V` (`--validity`) option to \"init\".\n\n### Create a TLS server certificate \u0026 key pair\nAn TLS server needs a few things:\n* A server common name - so client can either address it by DNS Name.\n* Optionally, an IP Address\n\nCreating a new server certificate/key pair:\n\n    $ certik -v foo.db server -i IP.ADDR.ES server.domain.name\n\nOf course, you should use the appropriate values for `IP.ADDR.ES`\nand `server.domain.name` for your setup.\n\nThe IP Address and Server FQDN show up in the certificate as\nCertificate.IPAddress and Certificate.Sibject.CommonName.\nAdditionally, the server FQDN also shows up in Certificate.DNSNames.\n\nYou can request the server certificate to have a different\nvalidity via the `V` (`--validity`) option; this option takes the\nvalue in units of years.\n\nYou can of course create as many server certificates as needed.\n\n### Create a TLS client (user) certificate \u0026 key pair\nAn TLS client certificate is quite simple - it just needs a\ncommon name. For convenience, you may use the email address as the \ncommon Name.\n\n    $ certik -v foo.db client user@domain.name\n\nYou can ask the client private key to be encrypted with a user\nsupplied passphrase by using the `-p` or `--password` option to the\n`client` command.  You can request the client certificate to have\na different validity via the `V` (`--validity`) option; this option\ntakes the value in units of years.\n\n### Delete a certificate \u0026 key from the Cert Database\nOnce in a while you will want to delete users and prevent them from\nconnecting to the TLS server. E.g.,\n\n    $ certik -v foo.db delete user@domain.name user2@domain\n\nThis only deletes the users from the certificate DB. You still need\nto generate a new CRL (Certificate Revocation List) and push it to\nyour server. See the next workflow.\n\n### Generate a CRL from Revoked Certificates\nOnce a user is deleted from the system, you will need to generate a\nnew CRL and push it to the server. The command to generate a new\nCRL:\n\n    $ certik -v foo.db crl -o crl.pem\n\nThis write the PEM encoded CRL to `crl.pem`. You must copy this file\nto the OpenVPN server and reload (or restart) it.\n\nYou can also just view a full list of revoked users:\n\n    $ certik foo.db crl --list\n\n### See list of certificates managed by this CA\nTo see a list of certificates in the database:\n\n    $ certik foo.db list\n\n### Exporting a Certificate \u0026 Key\nWhile the tool manages certificates, for use in a TLS client or server,\nwe need to export the CA certificate, server certificate and key.\nTo export a certificate \u0026 key configuration:\n\n    $ certik foo.db export server.domain.name\n    $ certik foo.db export user@domain.name\n\nThis prints the PEM encoded cert \u0026 key to stdout. To write each to a\nseparate file:\n\n    $ certik foo.db export server.domain.name -o server\n\nThis will write the certificate into `server.crt` and key to\n`server.key`.\n\n### Exporting the CA Certificate\nThe CA certificate anchors the root of trust; so, the TLS Server and\nClient both need the CA Certificate. One exports it like so:\n\n    $ certik foo.db export --ca -o ca.crt\n\n\n## TODO\n\n* Tests\n\n# Development Notes\nIf you wish to hack on this, notes here might be useful.\n\nThe code is organized as a library \u0026 command line frontend for that library.\n\n* We use go module support; you will need go 1.10+ or later\n\n* The build script `build` is a shell script to build the program.\n  It does two very important things:\n    * Puts the binary in an OS+Arch specific directory\n    * Injects a git version-tag into the final binary (\"linker resolved symbol\")\n\n## Guide to Source Code\n* Uses an external PKI library from [go-pki](https://github.com/opencoff/go-pki)\n\n* `src/`: Command line interface to the library capabilities. Each\n  command is in its own file.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencoff%2Fcertik","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopencoff%2Fcertik","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopencoff%2Fcertik/lists"}