Top Related Projects
CFSSL: Cloudflare's PKI and TLS toolkit
A simple zero-config tool to make locally trusted development certificates with any names you'd like.
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
easy-rsa - Simple shell based CA utility
A tool for secrets management, encryption as a service, and privileged access management
An ACME-based certificate authority, written in Go.
Quick Overview
Certstrap is a simple certificate authority (CA) tool for bootstrapping TLS/SSL infrastructure. It provides a straightforward command-line interface for creating root CAs, intermediate CAs, and signed certificates, making it easier to manage PKI infrastructure for development and small-scale production environments.
Pros
- Easy to use with a simple command-line interface
- Supports creation of root CAs, intermediate CAs, and signed certificates
- Cross-platform compatibility (works on Linux, macOS, and Windows)
- Lightweight and doesn't require complex setup or dependencies
Cons
- Limited features compared to more comprehensive PKI solutions
- Not suitable for large-scale enterprise PKI management
- Lacks advanced certificate management features like revocation and OCSP support
- May not be suitable for high-security environments requiring more robust key management
Getting Started
To get started with Certstrap, follow these steps:
-
Install Certstrap:
go get -u github.com/square/certstrap
-
Create a root CA:
certstrap init --common-name "My Root CA"
-
Create and sign a certificate:
certstrap request-cert --common-name "example.com" certstrap sign example.com --CA "My Root CA"
-
Use the generated certificates in your application or server configuration.
Note: Ensure you have Go installed on your system before running the installation command. The generated certificates and keys will be stored in the current directory by default.
Competitor Comparisons
CFSSL: Cloudflare's PKI and TLS toolkit
Pros of cfssl
- More comprehensive PKI toolkit with additional features like OCSP and CRL support
- Better suited for large-scale deployments and enterprise environments
- Offers a RESTful API for easier integration with other systems
Cons of cfssl
- Steeper learning curve due to more complex functionality
- Requires more setup and configuration for basic use cases
- Heavier resource usage compared to certstrap
Code comparison
certstrap:
certstrap init --common-name "Example CA"
certstrap request-cert --common-name "example.com"
certstrap sign example.com --CA "Example CA"
cfssl:
{
"signing": {
"default": {
"expiry": "8760h"
}
}
}
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config config.json -profile server server.json | cfssljson -bare server
certstrap is more straightforward for simple certificate generation, while cfssl offers more flexibility and configuration options but requires more setup.
A simple zero-config tool to make locally trusted development certificates with any names you'd like.
Pros of mkcert
- Simpler and more user-friendly, designed for local development
- Automatically installs root CA in system and browser trust stores
- Supports multiple platforms (Windows, macOS, Linux) out of the box
Cons of mkcert
- Limited to local development use cases
- Fewer customization options for certificate generation
- Not designed for production or enterprise certificate management
Code Comparison
mkcert:
mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1
certstrap:
certstrap init --common-name "Example CA"
certstrap request-cert --domain example.com
certstrap sign example.com --CA "Example CA"
Key Differences
- mkcert focuses on simplicity and ease of use for local development
- certstrap offers more flexibility and control over certificate generation
- mkcert automatically handles trust store management, while certstrap requires manual intervention
- certstrap is better suited for more complex certificate management scenarios
- mkcert has a single command for generating certificates, while certstrap uses a multi-step process
Both tools serve different purposes: mkcert is ideal for quick local development setups, while certstrap is more suitable for advanced certificate management needs and production environments.
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
Pros of certificates
- More comprehensive PKI solution with additional features like ACME support and HSM integration
- Active development with frequent updates and releases
- Better documentation and extensive CLI options
Cons of certificates
- Larger codebase and potentially more complex setup
- Steeper learning curve for basic certificate operations
- May be overkill for simple certificate management needs
Code comparison
certificates:
cert, err := ca.Sign(csr, provisioner, signOpts...)
if err != nil {
return nil, err
}
certstrap:
cert, err := pkix.CreateCertificateHost(caCert, caKey, name, years, org, country, state, locality, ip, domains)
if err != nil {
return nil, err
}
Summary
certificates offers a more feature-rich and actively maintained solution for PKI management, while certstrap provides a simpler and more lightweight approach for basic certificate operations. certificates is better suited for complex environments and advanced use cases, whereas certstrap may be preferable for quick and straightforward certificate generation tasks. The choice between the two depends on the specific requirements of the project and the desired level of functionality.
easy-rsa - Simple shell based CA utility
Pros of easy-rsa
- More mature and widely used, especially in OpenVPN deployments
- Supports a broader range of certificate operations and key types
- Offers more customization options and flexibility
Cons of easy-rsa
- Written in Bash, which can be less portable and harder to maintain
- Requires more manual configuration and setup
- May have a steeper learning curve for beginners
Code Comparison
easy-rsa:
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
certstrap:
certstrap init --common-name "CA"
certstrap request-cert --common-name "server"
certstrap sign "server" --CA "CA"
Both tools achieve similar goals, but certstrap offers a more streamlined and Go-based approach, while easy-rsa provides more extensive features through its Bash scripts. certstrap is designed for simplicity and ease of use, making it a good choice for quick setups or integration into Go projects. easy-rsa, on the other hand, offers more advanced features and is better suited for complex PKI management scenarios, particularly in OpenVPN environments.
A tool for secrets management, encryption as a service, and privileged access management
Pros of Vault
- Comprehensive secret management solution with advanced features like dynamic secrets, encryption as a service, and audit logging
- Highly scalable and designed for enterprise use with support for multiple backends and storage options
- Active development with regular updates and a large community
Cons of Vault
- More complex setup and configuration compared to Certstrap's simplicity
- Higher resource requirements and potential overhead for smaller projects
- Steeper learning curve for users new to secret management systems
Code Comparison
Certstrap (generating a certificate):
certstrap init --common-name "CA"
certstrap request-cert --common-name "example.com"
certstrap sign example.com --CA "CA"
Vault (generating a certificate using PKI secrets engine):
vault secrets enable pki
vault write pki/root/generate/internal common_name="CA" ttl=87600h
vault write pki/roles/example-dot-com allowed_domains="example.com" allow_subdomains=true max_ttl="72h"
vault write pki/issue/example-dot-com common_name="example.com" ttl="24h"
While both tools can generate certificates, Vault offers more advanced configuration options and integrates with a broader secret management ecosystem. Certstrap focuses specifically on certificate generation and management, providing a simpler, more targeted solution for projects with less complex requirements.
An ACME-based certificate authority, written in Go.
Pros of Boulder
- Comprehensive ACME server implementation, supporting the full Let's Encrypt certificate issuance process
- Highly scalable and production-ready, used by Let's Encrypt to issue millions of certificates
- Extensive documentation and active community support
Cons of Boulder
- Complex setup and configuration, requiring multiple components and dependencies
- Steep learning curve for newcomers to ACME and PKI systems
- Resource-intensive, may be overkill for small-scale or personal certificate management needs
Code Comparison
Boulder (Go):
func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, request core.Authorization, regID int64) (core.Authorization, error) {
identifier := request.Identifier
if identifier.Type != core.IdentifierDNS {
return core.Authorization{}, berrors.MalformedError("invalid identifier type")
}
// ... (additional code)
}
Certstrap (Go):
func NewCertificate(cn string, o string, ou string, key *Key) (*Certificate, error) {
now := time.Now()
template := x509.Certificate{
Subject: pkix.Name{
CommonName: cn,
Organization: []string{o},
OrganizationalUnit: []string{ou},
},
// ... (additional code)
}
}
Boulder focuses on ACME protocol implementation, while Certstrap provides simpler certificate generation functions.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
certstrap
A simple certificate manager written in Go, to bootstrap your own certificate authority and public key infrastructure. Adapted from etcd-ca.
certstrap is a very convenient app if you don't feel like dealing with openssl, its myriad of options or config files.
Common Uses
certstrap allows you to build your own certificate system:
- Initialize certificate authorities
- Create identities and certificate signature requests for hosts
- Sign and generate certificates
Certificate architecture
certstrap can init multiple certificate authorities to sign certificates with. Users can make arbitrarily long certificate chains by using signed hosts to sign later certificate requests, as well.
Examples
Getting Started
Building
certstrap must be built with Go 1.18+. You can build certstrap from source:
$ git clone https://github.com/square/certstrap
$ cd certstrap
$ go build
This will generate a binary called certstrap
under project root folder.
Initialize a new certificate authority:
$ ./certstrap init --common-name "CertAuth"
Created out/CertAuth.key
Created out/CertAuth.crt
Created out/CertAuth.crl
Note that the -common-name
flag is required, and will be used to name output files.
Moreover, this will also generate a new keypair for the Certificate Authority,
though you can use a pre-existing private PEM key with the -key
flag.
If the CN contains spaces, certstrap will change them to underscores in the filename for easier use. The spaces will be preserved inside the fields of the generated files:
$ ./certstrap init --common-name "Cert Auth"
Created out/Cert_Auth.key
Created out/Cert_Auth.crt
Created out/Cert_Auth.crl
Request a certificate, including keypair:
$ ./certstrap request-cert --common-name Alice
Created out/Alice.key
Created out/Alice.csr
certstrap requires either -common-name
or -domain
flag to be set in order to generate a certificate signing request. The CN for the certificate will be found from these fields.
If your server has mutiple ip addresses or domains, use comma seperated ip/domain/uri list. eg: ./certstrap request-cert -ip $ip1,$ip2 -domain $domain1,$domain2 -uri $uri1,$uri2
If you do not wish to generate a new keypair, you can use a pre-existing private
PEM key with the -key
flag
Sign certificate request of host and generate the certificate:
$ ./certstrap sign Alice --CA CertAuth
Created out/Alice.crt from out/Alice.csr signed by out/CertAuth.key
PKCS Format:
If you'd like to convert your certificate and key to PKCS12 format, simply run:
$ openssl pkcs12 -export -out outputCert.p12 -inkey inputKey.key -in inputCert.crt -certfile CA.crt
inputKey.key
and inputCert.crt
make up the leaf private key and certificate pair of your choosing (generated by a sign
command), with CA.crt
being the certificate authority certificate that was used to sign it. The output PKCS12 file is outputCert.p12
Key Algorithms:
Certstrap supports curves P-224, P-256, P-384, P-521, and Ed25519. Curve names can be specified by name as part of the init
and request_cert
commands:
$ ./certstrap init --common-name CertAuth --curve P-256
Created out/CertAuth.key
Created out/CertAuth.crt
Created out/CertAuth.crl
$ ./certstrap request-cert --common-name Alice --curve P-256
Created out/Alice.key
Created out/Alice.csr
Retrieving Files
Outputted key, request, and certificate files can be found in the depot directory.
By default, this is in out/
Project Details
Contributing
See CONTRIBUTING for details on submitting patches.
License
certstrap is under the Apache 2.0 license. See the LICENSE file for details.
Top Related Projects
CFSSL: Cloudflare's PKI and TLS toolkit
A simple zero-config tool to make locally trusted development certificates with any names you'd like.
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
easy-rsa - Simple shell based CA utility
A tool for secrets management, encryption as a service, and privileged access management
An ACME-based certificate authority, written in Go.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot