go-ca:SSL 证书私有签署工具

发布时间: 更新时间: 总字数:351 阅读时间:1m 作者: IP上海 分享 网址

go-ca 使用 golang 开发的,SSL自签名客户端,自动生成Root CA、二级CA、域名证书。

介绍

build-test GoDoc Go Report Card

golang x-ca client, which can simple Sign Self Root/Second-Level CA, and sign for Domains and IPs.

shell implement at x-ca/x-ca

install

curl -Lfs -o xca https://github.com/x-ca/go-ca/releases/latest/download/xca-{linux|darwin|windows}
chmod +x xca
mv xca /usr/local/bin/

Help

$ xca --help
Create Root CA and TLS CA:
xca -create-ca true \
  -root-cert x-ca/ca/root-ca.crt \
  -root-key x-ca/ca/root-ca/private/root-ca.key \
  -tls-cert x-ca/ca/tls-ca.crt \
  -tls-key x-ca/ca/tls-ca/private/tls-ca.key \
  -tls-chain x-ca/ca/tls-ca-chain.pem

Sign Domains or Ips:
xca -cn xxxx \
  --domains "xxx,xxx" --ips "xxx,xxx" \
  -tls-cert x-ca/ca/tls-ca.crt \
  -tls-key x-ca/ca/tls-ca/private/tls-ca.key \
  -tls-chain x-ca/ca/tls-ca-chain.pem

Usage:
  -cn string
    	sign cert common name.
  -create-ca
    	Create Root CA.
  -domains string
    	Comma-Separated domain names.
  -help
    	show help message
  -ips string
    	Comma-Separated IP addresses.
  -root-cert string
    	Root certificate file path, PEM format. (default "x-ca/ca/root-ca.crt")
  -root-key string
    	Root private key file path, PEM format. (default "x-ca/ca/root-ca/private/root-ca.key")
  -tls-cert string
    	Second-Level certificate file path, PEM format. (default "x-ca/ca/tls-ca.crt")
  -tls-chain string
    	Root/Second-Level CA Chain file path, PEM format. (default "x-ca/ca/tls-ca-chain.pem")
  -tls-key string
    	Second-Level private key file path, PEM format. (default "x-ca/ca/tls-ca/private/tls-ca.key")
  -tls-key-password string
    	tls key password, only work for load github.com/x-ca/x-ca.

Source Code:
  https://github.com/x-ca/go-ca

Usage Demo

  • create ca
xca -create-ca true \
  -root-cert x-ca/ca/root-ca.crt \
  -root-key x-ca/ca/root-ca/private/root-ca.key \
  -tls-cert x-ca/ca/tls-ca.crt \
  -tls-key x-ca/ca/tls-ca/private/tls-ca.key

install x-ca/ca/root-ca.crt and x-ca/ca/tls-ca.crt to trust Your CA.

  • or use x-ca
mkdir path
git clone git@github.com:x-ca/ca.git x-ca
  • sign domain
xca -cn xiexianbin.cn \
  --domains "*.xiexianbin.cn,*.80.xyz" \
  --ips 100.80.0.128 \
  -tls-cert x-ca/ca/tls-ca.crt \
  -tls-key x-ca/ca/tls-ca/private/[tls-ca.key | tls-ca-des3.key]
  • test cert
docker run -it -d \
  -p 8443:443 \
  -v $(pwd)/examples/default.conf:/etc/nginx/conf.d/default.conf \
  -v $(pwd)/x-ca/certs/xiexianbin.cn/xiexianbin.cn.bundle.crt:/etc/pki/nginx/server.crt \
  -v $(pwd)/x-ca/certs/xiexianbin.cn/xiexianbin.cn.key:/etc/pki/nginx/private/server.key \
  nginx

visit https://dev.xiexianbin.cn:8443/

FaQ

if CA Cert begin with BEGIN ENCRYPTED PRIVATE KEY(raise Error: fromPEMBytes: x509: no DEK-Info header in block), Use openssl rsa -in root-ca.key -des3 change cipher

Ref

Home Archives Categories Tags Statistics
本文总阅读量 次 本站总访问量 次 本站总访客数