Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Shyp/generate-tls-cert

Generating self signed certificates
https://github.com/Shyp/generate-tls-cert

curl golang javascript self-signed-certificate

Last synced: about 1 month ago
JSON representation

Generating self signed certificates

Host: GitHub
URL: https://github.com/Shyp/generate-tls-cert
Owner: Shyp
Created: 2018-02-02T01:52:23.000Z (almost 7 years ago)
Default Branch: master
Last Pushed: 2018-11-17T22:49:10.000Z (about 6 years ago)
Last Synced: 2024-08-01T13:25:53.241Z (4 months ago)
Topics: curl, golang, javascript, self-signed-certificate
Language: Go
Size: 13.7 KB
Stars: 152
Watchers: 6
Forks: 28
Open Issues: 3
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-ccamel - Shyp/generate-tls-cert - Generating self signed certificates (Go)

README

        # Better self-signed certificates

Here's a script that helps you generate self signed certificates. It will

generate both a root certificate and a leaf.

(The TLS certificates generated by `crypto/tls/generate_cert.go` act both as a

CA and as a leaf certificate. Some TLS clients have a problem with that scheme.)

This script modifies `crypto/tls/generate_cert.go` slightly:

- A leaf certificate and a root certificate are generated.

- the only supported key type is ecdsa P256.

- Better usage instructions are generated.

Credit comes from [Adam Langley](https://www.imperialviolet.org/), who provided

the initial version of this script on a golang-nuts message thread.

## Installation

```bash

go get github.com/Shyp/generate-tls-cert

```

## Usage

Running `generate-tls-cert` will give you nine files. Three of them are the

most important:

- `root.pem`: The public key of the root CA. Add this as a CA in clients to

connect to your self-signed server (see "Client" below).

- `leaf.key` and `leaf.pem` - The public and private key for terminating TLS

  with your self signed certificate.

```

$ generate-tls-cert --host=localhost,127.0.0.1

Successfully generated certificates! Here's what you generated.

# Root CA

root.key

	The private key for the root Certificate Authority. Keep this private.

root.pem

	The public key for the root Certificate Authority. Clients should load the

	certificate in this file to connect to the server.

root.debug.crt

	Debug information about the generated certificate.

# Leaf Certificate - Use these to serve TLS traffic.

leaf.key

	Private key (PEM-encoded) for terminating TLS traffic on the server.

leaf.pem

	Public key for terminating TLS traffic on the server.

leaf.debug.crt

	Debug information about the generated certificate

# Client Certificate - You probably don't need these.

client.key: Secret key for TLS client authentication

client.pem: Public key for TLS client authentication

```

Add the following instructions to your Makefile, and all your users will have to

do to get started is run `make generate_cert` to download the binary and load

TLS certificates.

```make

GENERATE_TLS_CERT = $(GOPATH)/bin/generate-tls-cert

$(GENERATE_TLS_CERT):

	go get -u github.com/Shyp/generate-tls-cert

certs/leaf.pem: | $(GENERATE_TLS_CERT)

	mkdir -p certs

	cd certs && $(GENERATE_TLS_CERT) --host=localhost,127.0.0.1

# Generate TLS certificates for local development.

generate_cert: certs/leaf.pem | $(GENERATE_TLS_CERT)

```

## Client Side

Here's how to make requests that validate, using your new TLS certificates.

### Go

```go

rootPEM, err := ioutil.ReadFile("path/to/root.pem")

if err != nil {

	log.Fatal(err)

}

roots := x509.NewCertPool()

ok := roots.AppendCertsFromPEM(rootPEM)

if !ok {

	panic("failed to parse root certificate")

}

// Use the tls.Config here in http.Transport.TLSClientConfig

conn, err := tls.Dial("tcp", "yourhost:yourport", &tls.Config{

    RootCAs: roots,

})

if err != nil {

    panic("failed to connect: " + err.Error())

}

conn.Close()

```

### Javascript

```javascript

var fs = require('fs');

var https = require('https');

var get = https.request({

  path: '/', hostname: 'yourhost', port: yourport,

  ca: fs.readFileSync('path/to/root.pem'),

  agent: false,

  rejectUnauthorized: true,

}, function(response) {

  response.on('data', (d) => {

    process.stdout.write(d);

  });

});

get.on('error', function(e) {

  console.error(e)

  console.error("error", e)

  console.error("error", JSON.stringify(e))

});

get.end();

```

### Curl

```bash

curl --cacert path/to/root.pem https://yourhost:yourport

```

### Python Requests

```python

import requests

r = requests.get("https://yourhost:yourport", verify='root.pem')

print(r.status_code)

```

### OpenSSL

```bash

openssl s_client -showcerts -servername localhost -CAfile path/to/root.pem -connect yourhost:yourport

```

## Server Side

Here's how to integrate the generated certificates into different server

architectures.

### Go

Start the Go server with the leaf public and private keys.

```go

http.ListenAndServeTLS(":7252", "leaf.pem", "leaf.key", nil)

```

### Node.js

Start a Node server with the leaf public and private keys.

```javascript

const https = require('https');

const fs = require('fs');

const options = {

  key: fs.readFileSync('leaf.key'),

  cert: fs.readFileSync('leaf.pem'),

};

https.createServer(options, (req, res) => {

  res.writeHead(200);

  res.end('hello world\n');

}).listen(8000);

```