A simple certificate manager written in Go. Easy to use with limited capability.
ca-ctl allows you to build your own certificate system:
- Create certificate authority
- Create, issue and export host certificates
- Manage host identities
- Deploy a Public Key Infrastructure
Primarly used for coreos/etcd SSL/TLS testing.
ca-ctl inits a certificate authority, and issues certificates using the authority only. It indicates the length of authorization path is at most 2.
$ ./ca-ctl init
Created ca/key
Created ca/crt
$ ./ca-ctl new-cert alice
Created alice/key
Created alice/csr
ca-ctl uses 127.0.0.1 for IP SAN in default. If etcd has peer address $etcd_ip other than 127.0.0.1, run ./ca-ctl new-cert -ip $etcd_ip alice
instead.
If your server has mutiple ip addresses or domains, use comma seperated ip/domain list with -ip/-domain. eg: ./ca-ctl new-cert -ip $etcd_ip1,$etcd_ip2 -domain $etcd_domain1,$etcd_domain2
$ ./ca-ctl sign alice
Created alice/crt from alice/csr signed by ca.key
$ ./ca-ctl chain alice
----BEGIN CERTIFICATE-----
CA certificate body
-----END CERTIFICATE-----
----BEGIN CERTIFICATE-----
alice certificate body
-----END CERTIFICATE-----
$ ./ca-ctl export alice > alice.tar
Because etcd takes unencrypted key for -key-file
and -peer-key-file
, you should use ./ca-ctl export --insecure alice > alice.tar
to export private key.
$ ./ca-ctl status
ca: WARN (60 days until expiration)
alice: OK (120 days until expiration)
bob: Unsigned
ca-ctl must be built with Go 1.3+. You can build etcd-ca from source:
$ git clone https://github.com/wulonghui/ca-ctl
$ cd ca-ctl
$ ./build
This will generate a binary called ./bin/ca-ctl
generate certificates for etcd
See CONTRIBUTING for details on submitting patches and contacting developers via IRC and mailing lists.
ca-ctl is under the Apache 2.0 license. See the LICENSE file for details.