cert cli

modern cli tools to work with certificates

certificates

If only everything had a certificate (and relevant certificate authorities), identity would be easy...

Anyway, openssl is still probably the most common tool, but we want shiny new things, right?

mkcert

mkcert does 2 things: install a local CA, and generate certificates signed by the CA.

1# create/install a CA
2mkcert -install
3# show where the CA key/cert are
4mkcert -CAROOT
5
6# create leaf certificate
7mkcert -ecdsa example.com 127.0.0.1

step-cli

step-cli bundles a lot of certificate / things that need signing tools together. More verbose but also gives more control.

 1# create root ca
 2step-cli certificate certificate create $subject root.crt root.key --profile=root-ca --kty OKP --curve Ed25519
 3# install a ca
 4step-cli certificate install root.crt
 5
 6# (optional) create intermediate ca
 7step-cli certificate certificate create $subject intr.crt intr.key --profile=intermediate-ca --kty OKP --curve Ed25519 --ca root.crt --ca-key root.key
 8# create leaf certificate
 9step-cli certificate certificate create $subject leaf.crt leaf.key --profile=leaf --kty OKP --curve Ed25519 --ca intr.crt --ca-key root.key --san example.com --san 127.0.0.1
10
11# view cert details
12step-cli certificate inspect cert.pem

step-cli can also do a lot more stuff, some interesting ones:

• step-cli crypto jwt manipulates JSON Web Tokens
• step-cli crypto otp generate/verify (t)otp
• step-cli ssh certificate manipulate SSH certificates

cfssl

cfssl is more geared towards api use, at a minimum, you need to provide a CSR in json for it to generate keys / sign.

cert-manager

cert-manager is a ca thingy you run in k8s. it has a kubectl plugin to help with managing certs, a bit like cfssl, but with yaml.

openssl

openssl the sort of inconsistent thing that we're all stuck with.

 1# create root ca
 2openssl req -x509 -key <(openssl genpkey -algorithm ED25519 | tee root.key) -subj "/CN=me" -out root.crt
 3
 4# create leaf cert
 5openssl x509 -req -in <( \
 6  openssl req -new -key <( \
 7    openssl genpkey -algorithm ED25519 | tee leaf.key \
 8  ) -subj "/CN=me" \
 9) -CA root.crt -CAkey root.key -CAcreateserial -out leaf.crt -sha256
10
11# view cert
12openssl x509 -in leaf.crt -text

other fun things

• openssl s_client -showcerts -connect example.com:443 </dev/null | openssl x509 -text -noout show the cert of a server