{"id":13468784,"url":"https://github.com/rabbitmq/tls-gen","last_synced_at":"2025-04-05T14:09:01.811Z","repository":{"id":9075048,"uuid":"10847557","full_name":"rabbitmq/tls-gen","owner":"rabbitmq","description":"Generates self-signed x509/TLS/SSL certificates useful for development","archived":false,"fork":false,"pushed_at":"2024-05-15T13:49:49.000Z","size":162,"stargazers_count":376,"open_issues_count":3,"forks_count":103,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-03-29T13:09:43.343Z","etag":null,"topics":["ssl","tls"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rabbitmq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-06-21T16:59:12.000Z","updated_at":"2025-03-10T13:28:49.000Z","dependencies_parsed_at":"2024-10-29T21:43:32.418Z","dependency_job_id":null,"html_url":"https://github.com/rabbitmq/tls-gen","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitmq%2Ftls-gen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitmq%2Ftls-gen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitmq%2Ftls-gen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rabbitmq%2Ftls-gen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rabbitmq","download_url":"https://codeload.github.com/rabbitmq/tls-gen/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247345854,"owners_count":20924102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ssl","tls"],"created_at":"2024-07-31T15:01:19.030Z","updated_at":"2025-04-05T14:09:01.788Z","avatar_url":"https://github.com/rabbitmq.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"## TLS (SSL, x.509) Certificate Generator\n\n`tls-gen` is an OpenSSL-based tool that generates self-signed x.509 certificates that are\nmeant to be used in development and QA environments.\n\nThe project is originally extracted from a number of [RabbitMQ](https://rabbitmq.com) test suites.\n\n\n## What It Does\n\n`tls-gen` generates a self-signed Certificate Authority (CA) certificate\nand two or more pairs of keys: client and server, all with a single command.\n\nIt supports more than one profile that generates certificate chains of different length and \"shape\".\n\nPrivate keys can be generated using RSA as well as [ECC][ecc-intro].\n\n## Prerequisites\n\n`tls-gen` requires\n\n * `openssl`\n * Python 3.6 or later in `PATH` as `python3` (older versions are not supported)\n * `make`\n * `hostname`\n\n\n\n## Usage\n\nCertificate authorities (CAs) and certificates can form chains. tls-gen provides\nseveral \"profiles\" that produce different kinds of certificate chains:\n\n * [Profile 1](./basic/): a root CA with leaf certificate/key pairs signed by it\n * [Profile 2](./two_shared_intermediates/): a root CA with multiple shared intermediary certificates and leaf pairs signed by the intermediaries\n * [Profile 3](./separate_intermediates/): a root CA with two intermediary certificates (one for server, one for client) and leaf pairs signed by the intermediaries\n\nEach profile has a sub-directory in repository root. All profiles use\nthe same `make` targets and directory layouts that are as close as possible.\n\n### Profile 1 (Basic Profile)\n\nTo generate a CA, client and server private key/certificate pairs, run\n`make` from the [basic](./basic) profile directory with the `PASSWORD` variable\nproviding the passphrase:\n\n``` shell\ncd [path to tls-gen repository]/basic\n# pass a private key password using the PASSWORD variable if needed\nmake\n\n## copy or move files to use hostname-neutral filenames\n## such as client_certificate.pem and client_key.pem,\n## this step is optional\n# make alias-leaf-artifacts\n\n# results will be under the ./result directory\nls -lha ./result\n```\n\nGenerated CA certificate as well as client and server certificate and private keys will be\nunder the `result` directory. Their names will include hostnames. To use\n\"host-neutral\" names such as `client_certificate.pem` and `client_key.pem`, use\n\n``` shell\nmake alias-leaf-artifacts\n```\n\nIt is possible to use [ECC][ecc-intro] for leaf keys:\n\n``` shell\ncd [path to tls-gen repository]/basic\n# pass a private key password using the PASSWORD variable if needed\nmake USE_ECC=true ECC_CURVE=\"prime256v1\"\n# results will be under the ./result directory\nls -lha ./result\n```\n\nThe list of available curves can be obtained with\n\n``` shell\nopenssl ecparam -list_curves\n```\n\n### Profile 2 (Shared Chained Certificates)\n\nTo generate a root CA, 2 shared intermediate CAs, client and server key/certificate pairs, run `make` from\nthe [two_shared_intermediates](./two_shared_intermediates) directory:\n\n``` shell\n# pass a private key password using the PASSWORD variable if needed\nmake\n# results will be under the ./result directory\nls -lha ./result\n```\n\nIt is possible to use [ECC][ecc-intro] for intermediate and leaf keys:\n\n``` shell\nmake USE_ECC=true ECC_CURVE=\"prime256v1\"\n# results will be under the ./result directory\nls -lha ./result\n```\n\nThe list of available curves can be obtained with\n\n``` shell\nopenssl ecparam -list_curves\n```\n\n### Profile 3 (Separate Certificate Chains)\n\nTo generate a root CA, 2 intermediate CAs (one for server, one for client), client and server key/certificate pairs, run `make` from\nthe [separate_intermediates](./separate_intermediates) directory:\n\n``` shell\n# pass a private key password using the PASSWORD variable if needed\nmake\n# results will be under the ./result directory\nls -lha ./result\n```\n\nIt is possible to use [ECC][ecc-intro] for intermediate and leaf keys:\n\n``` shell\nmake USE_ECC=true ECC_CURVE=\"prime256v1\"\n# results will be under the ./result directory\nls -lha ./result\n```\n\nThe list of available curves can be obtained with\n\n``` shell\nopenssl ecparam -list_curves\n```\n\n### Regeneration\n\nTo generate a new set of keys and certificates, use\n\n``` shell\n# pass a private key password using the PASSWORD variable if needed\nmake regen\n```\n\nThe `regen` target accepts the same variables as `gen` (default target) above.\n\n### Verification\n\nYou can verify the generated client and server certificates against the generated CA one with\n\n``` shell\nmake verify\n```\n\n### Overriding CN (Common Name)\n\nBy default, certificate's CN ([Common Name](http://tldp.org/HOWTO/Apache-WebDAV-LDAP-HOWTO/glossary.html)) is calculated using `hostname`.\n\nIt is possible to override CN with a `make` variable:\n\n``` shell\nmake CN=secure.mydomain.local\n```\n\n### Overriding Certificate Validity Period\n\nBy default certificates will be valid for 3650 days (about 10 years). The period\ncan be changed by overriding the `DAYS_OF_VALIDITY` variable\n\n``` shell\nmake DAYS_OF_VALIDITY=365\n```\n\n### Generating Expired Certificates\n\nIt may be necessary to generate an expired certificate, e.g. to test TLS handshake\nand peer verification failures. To do so, set the certificate validity in\ndays to a negative value:\n\n``` shell\nmake DAYS_OF_VALIDITY=-7\n```\n\n### Overriding Number of Private Key Bits\n\nIt is possible to override the number of private key bits\nwith a `make` variable:\n\n``` shell\nmake NUMBER_OF_PRIVATE_KEY_BITS=4096\n```\n\n### Certificate Information\n\nTo display information about generated certificates, use\n\n``` shell\nmake info\n```\n\nThis assumes the certificates were previously generated.\n\n\n\n## License\n\nMozilla Public License, see `LICENSE`.\n\n[ecc-intro]: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frabbitmq%2Ftls-gen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frabbitmq%2Ftls-gen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frabbitmq%2Ftls-gen/lists"}