{"id":13452409,"url":"https://github.com/trimstray/mkchain","last_synced_at":"2025-05-16T03:05:50.561Z","repository":{"id":65977070,"uuid":"110849655","full_name":"trimstray/mkchain","owner":"trimstray","description":"Open source tool to help you build a valid SSL certificate chain.","archived":false,"fork":false,"pushed_at":"2024-11-19T14:06:12.000Z","size":960,"stargazers_count":364,"open_issues_count":4,"forks_count":52,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-04-08T13:13:05.487Z","etag":null,"topics":["certificates","chain","openssl","openssl-certs","ssl-cert","ssl-certificate-chain","ssl-certificates","trust-chain"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trimstray.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-15T15:16:45.000Z","updated_at":"2025-03-10T11:05:41.000Z","dependencies_parsed_at":"2025-04-01T12:14:07.093Z","dependency_job_id":null,"html_url":"https://github.com/trimstray/mkchain","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fmkchain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fmkchain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fmkchain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fmkchain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trimstray","download_url":"https://codeload.github.com/trimstray/mkchain/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459088,"owners_count":22074605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificates","chain","openssl","openssl-certs","ssl-cert","ssl-certificate-chain","ssl-certificates","trust-chain"],"created_at":"2024-07-31T07:01:23.360Z","updated_at":"2025-05-16T03:05:45.551Z","avatar_url":"https://github.com/trimstray.png","language":"Shell","funding_links":[],"categories":["Shell","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"86d5daccb4ed597e85a0ec9c87f3c66f\"\u003e\u003c/a\u003eTLS\u0026\u0026SSL\u0026\u0026HTTPS"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的","\u003ca id=\"776c034543a65be69c061d1aafce3127\"\u003e\u003c/a\u003e新添加的"],"readme":"\u003ch1 align=\"center\"\u003emkchain\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eOpen source tool to help you build a valid SSL certificate chain.\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://travis-ci.org/trimstray/mkchain\"\u003e\n    \u003cimg src=\"https://travis-ci.org/trimstray/mkchain.svg?branch=master\" alt=\"Travis-CI\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://img.shields.io/badge/Version-v1.5.1-lightgrey.svg\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Version-v1.5.1-lightgrey.svg\" alt=\"Version\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"http://www.gnu.org/licenses/\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/license-GNU-blue.svg\" alt=\"License\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"#description\"\u003eDescription\u003c/a\u003e\n • \u003ca href=\"#how-to-use\"\u003eHow To Use\u003c/a\u003e\n • \u003ca href=\"#parameters\"\u003eParameters\u003c/a\u003e\n • \u003ca href=\"#how-it-works\"\u003eHow it works\u003c/a\u003e\n • \u003ca href=\"#requirements\"\u003eRequirements\u003c/a\u003e\n • \u003ca href=\"#other\"\u003eOther\u003c/a\u003e\n • \u003ca href=\"#license\"\u003eLicense\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cbr\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"/static/img/mkchain_preview.png\" alt=\"Master\"\u003e\n\u003c/p\u003e\n\n## Description\n\nIs an open source tool to help you build a valid SSL certificate chain. Also can help you fix the incomplete chain and download all missing CA certificates. You can also download all certificates from remote server and [get your certificate chain right](https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce).\n\n## How To Use\n\nIt's simple:\n\n```bash\n# Clone this repository\ngit clone https://github.com/trimstray/mkchain\n\n# Go into the repository\ncd mkchain\n\n# Install\n./setup.sh install\n\n# Run the app\nmkchain -i /data/certs -o /data/chain.crt\n```\n\n\u003e * symlink to `bin/mkchain` is placed in `/usr/local/bin`\n\u003e * man page is placed in `/usr/local/man/man8`\n\n## Parameters\n\nProvides the following options:\n\n```bash\n  Usage:\n    mkchain \u003coption|long-option\u003e\n\n  Examples:\n    mkchain --in Root.crt --in Intermediate1.crt --in Server.crt --out bundle_chain_certs.crt\n    mkchain --in /tmp/certs --out bundle_chain_certs.crt --with-root\n    mkchain -i Server.crt -o bundle_chain_certs.crt\n    mkchain -i https://incomplete-chain.badssl.com/ --with-root\n\n  Options:\n        --help        show this message\n        --debug       displays information on the screen (debug mode)\n    -i, --in          add certificates to merge (file, multiple files, directory with ssl certificates\n                      or remote domain)\n    -o, --out         saves the result (chain) to a file\n        --with-root   add root certificate to certificates chain\n```\n\n  \u003e `-o|--out` - without this param `mkchain` save output chain to `mkchain/chains/` directory.\n\n## How It Works\n\n  \u003e Before read it, please see article about **[SSL Certificate Chain](https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/)**.\n\nLet's start with **ssllabs** certificate chain. They are delivered together with the `mkchain` and can be found in the `example/ssllabs.com` directory which additionally contains the `all` directory (containing all the certificates needed to assemble the chain) and the `server_certificate` directory (containing only the server certificate).\n\nThe correct chain for the **ssllabs.com** domain (the result of the `openssl` command):\n\n```bash\nCertificate chain\n 0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com\n   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K\n 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K\n   i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2\n 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2\n   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority\n```\n\nThe above code presents a full chain consisting of:\n\n- **Identity Certificate** (Server Certificate)\n\n  issued for *ssllabs.com* by *Entrust Certification Authority - L1K*\n\n- **Intermediate Certificate**\n\n  issued for *Entrust Certification Authority - L1K* by *Entrust Root Certification Authority - G2*\n\n- **Intermediate Certificate**\n\n  issued for *Entrust Root Certification Authority - G2* by *Entrust Root Certification Authority*\n\n- **Root Certificate** (Self-Signed Certificate)\n\n  issued for *Entrust Root Certification Authority* by *Entrust Root Certification Authority*\n\n#### Scenario 1\n\nIn this scenario, we will chain all delivered certificates. Example of running the tool:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"/static/img/mkchain_output_1.png\" alt=\"Master\"\u003e\n\u003c/p\u003e\n\n#### Scenario 2\n\nIn this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"/static/img/mkchain_output_2.png\" alt=\"Master\"\u003e\n\u003c/p\u003e\n\n### Certificate Chain\n\nIn order to create a valid chain, you must provide the tool with all the necessary certificates (if you set directory for `-i|--in` param). It will be:\n\n- **Server Certificate**\n- **Intermediate CAs** and **Root CAs**\n\nThis is very important because without it you will not be able to determine the beginning and end of the chain.\n\n  \u003e If you set only certificate file as a `-i|--in` value, `mkchain` automatically download all necessary certificates.\n\nHowever, if you look inside the generated chain after generating with `mkchain`, you will not find the root certificate there.\n\nWhy? Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.\n\nIf you want to add a root certificate to the certificate chain, call the utility with the `--with-root` parameter.\n\n### Certification Paths\n\n`mkchain` allows use of two **certification paths**:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"/static/img/ssllabs_output_1.png\" alt=\"Master\"\u003e\n\u003c/p\u003e\n\n### Output comments\n\nWhen generating the chain of certificates, `mkchain` displays comments with information about certificates, including any errors.\n\nHere is a list of all possibilities:\n\n#### not found identity (end-user, server) certificate\n\nThe message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the `mkchain` ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.\n\n#### found correct identity (end-user, server) certificate\n\nThe reverse situation here - message displayed when a valid server certificate is found.\n\n#### not found first intermediate certificate\n\nThis message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.\n\n#### not found second intermediate certificate\n\nSimilar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.\n\n#### one or more intermediate certificate not found\n\nThis message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.\n\n#### found 'n' correct intermediate certificate(s)\n\nThis message indicates the number of valid intermediate certificates.\n\n#### not found correct root certificate\n\nThe lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the `mkchain`, it treats the chain as incomplete displaying information about the incorrect creation of the chain.\n\n#### an empty CN field was found in one of the certificates\n\nThis message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at `example/google.com`). Common Name field identifies the host name associated with the certificate. There is no requirement in **RFC3280** for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don't, such as this Equifax CA.\n\n## Requirements\n\n`mkchain` uses external utilities to be installed before running:\n\n- **[OpenSSL](https://www.openssl.org/)** (testing on 1.1.0g/h)\n\nThis tool working with:\n\n- **GNU/Linux** (testing on Debian and CentOS)\n- **[Bash](https://www.gnu.org/software/bash/)** (testing on 4.4.19)\n\n**MacOS/FreeBSD**:\n\n* replace for getopt(1) that supports GNU-style long options (`pkg install getopt`)\n* also work on MacOS with `greadlink` from **coreutils** (installed via homebrew)\n\n## Other\n\n### Contributing\n\nSee **[this](.github/CONTRIBUTING.md)**.\n\n### Project architecture\n\nSee **[this](https://github.com/trimstray/mkchain/wiki/Project-architecture)**.\n\n## License\n\nGPLv3 : \u003chttp://www.gnu.org/licenses/\u003e\n\n**Free software, Yeah!**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrimstray%2Fmkchain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrimstray%2Fmkchain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrimstray%2Fmkchain/lists"}