Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rabbitmq/tls-gen
Generates self-signed x509/TLS/SSL certificates useful for development
https://github.com/rabbitmq/tls-gen
ssl tls
Last synced: 19 days ago
JSON representation
Generates self-signed x509/TLS/SSL certificates useful for development
- Host: GitHub
- URL: https://github.com/rabbitmq/tls-gen
- Owner: rabbitmq
- License: mpl-2.0
- Created: 2013-06-21T16:59:12.000Z (over 11 years ago)
- Default Branch: main
- Last Pushed: 2024-05-15T13:49:49.000Z (7 months ago)
- Last Synced: 2024-11-15T15:22:58.530Z (27 days ago)
- Topics: ssl, tls
- Language: Python
- Homepage:
- Size: 158 KB
- Stars: 368
- Watchers: 16
- Forks: 103
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- jimsghstars - rabbitmq/tls-gen - Generates self-signed x509/TLS/SSL certificates useful for development (Python)
README
## TLS (SSL, x.509) Certificate Generator
`tls-gen` is an OpenSSL-based tool that generates self-signed x.509 certificates that are
meant to be used in development and QA environments.The project is originally extracted from a number of [RabbitMQ](https://rabbitmq.com) test suites.
## What It Does
`tls-gen` generates a self-signed Certificate Authority (CA) certificate
and two or more pairs of keys: client and server, all with a single command.It supports more than one profile that generates certificate chains of different length and "shape".
Private keys can be generated using RSA as well as [ECC][ecc-intro].
## Prerequisites
`tls-gen` requires
* `openssl`
* Python 3.6 or later in `PATH` as `python3` (older versions are not supported)
* `make`
* `hostname`## Usage
Certificate authorities (CAs) and certificates can form chains. tls-gen provides
several "profiles" that produce different kinds of certificate chains:* [Profile 1](./basic/): a root CA with leaf certificate/key pairs signed by it
* [Profile 2](./two_shared_intermediates/): a root CA with multiple shared intermediary certificates and leaf pairs signed by the intermediaries
* [Profile 3](./separate_intermediates/): a root CA with two intermediary certificates (one for server, one for client) and leaf pairs signed by the intermediariesEach profile has a sub-directory in repository root. All profiles use
the same `make` targets and directory layouts that are as close as possible.### Profile 1 (Basic Profile)
To generate a CA, client and server private key/certificate pairs, run
`make` from the [basic](./basic) profile directory with the `PASSWORD` variable
providing the passphrase:``` shell
cd [path to tls-gen repository]/basic
# pass a private key password using the PASSWORD variable if needed
make## copy or move files to use hostname-neutral filenames
## such as client_certificate.pem and client_key.pem,
## this step is optional
# make alias-leaf-artifacts# results will be under the ./result directory
ls -lha ./result
```Generated CA certificate as well as client and server certificate and private keys will be
under the `result` directory. Their names will include hostnames. To use
"host-neutral" names such as `client_certificate.pem` and `client_key.pem`, use``` shell
make alias-leaf-artifacts
```It is possible to use [ECC][ecc-intro] for leaf keys:
``` shell
cd [path to tls-gen repository]/basic
# pass a private key password using the PASSWORD variable if needed
make USE_ECC=true ECC_CURVE="prime256v1"
# results will be under the ./result directory
ls -lha ./result
```The list of available curves can be obtained with
``` shell
openssl ecparam -list_curves
```### Profile 2 (Shared Chained Certificates)
To generate a root CA, 2 shared intermediate CAs, client and server key/certificate pairs, run `make` from
the [two_shared_intermediates](./two_shared_intermediates) directory:``` shell
# pass a private key password using the PASSWORD variable if needed
make
# results will be under the ./result directory
ls -lha ./result
```It is possible to use [ECC][ecc-intro] for intermediate and leaf keys:
``` shell
make USE_ECC=true ECC_CURVE="prime256v1"
# results will be under the ./result directory
ls -lha ./result
```The list of available curves can be obtained with
``` shell
openssl ecparam -list_curves
```### Profile 3 (Separate Certificate Chains)
To generate a root CA, 2 intermediate CAs (one for server, one for client), client and server key/certificate pairs, run `make` from
the [separate_intermediates](./separate_intermediates) directory:``` shell
# pass a private key password using the PASSWORD variable if needed
make
# results will be under the ./result directory
ls -lha ./result
```It is possible to use [ECC][ecc-intro] for intermediate and leaf keys:
``` shell
make USE_ECC=true ECC_CURVE="prime256v1"
# results will be under the ./result directory
ls -lha ./result
```The list of available curves can be obtained with
``` shell
openssl ecparam -list_curves
```### Regeneration
To generate a new set of keys and certificates, use
``` shell
# pass a private key password using the PASSWORD variable if needed
make regen
```The `regen` target accepts the same variables as `gen` (default target) above.
### Verification
You can verify the generated client and server certificates against the generated CA one with
``` shell
make verify
```### Overriding CN (Common Name)
By default, certificate's CN ([Common Name](http://tldp.org/HOWTO/Apache-WebDAV-LDAP-HOWTO/glossary.html)) is calculated using `hostname`.
It is possible to override CN with a `make` variable:
``` shell
make CN=secure.mydomain.local
```### Overriding Certificate Validity Period
By default certificates will be valid for 3650 days (about 10 years). The period
can be changed by overriding the `DAYS_OF_VALIDITY` variable``` shell
make DAYS_OF_VALIDITY=365
```### Generating Expired Certificates
It may be necessary to generate an expired certificate, e.g. to test TLS handshake
and peer verification failures. To do so, set the certificate validity in
days to a negative value:``` shell
make DAYS_OF_VALIDITY=-7
```### Overriding Number of Private Key Bits
It is possible to override the number of private key bits
with a `make` variable:``` shell
make NUMBER_OF_PRIVATE_KEY_BITS=4096
```### Certificate Information
To display information about generated certificates, use
``` shell
make info
```This assumes the certificates were previously generated.
## License
Mozilla Public License, see `LICENSE`.
[ecc-intro]: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/