cert cli

modern cli tools to work with certificates


cert cli

modern cli tools to work with certificates


If only everything had a certificate (and relevant certificate authorities), identity would be easy...

Anyway, openssl is still probably the most common tool, but we want shiny new things, right?


mkcert does 2 things: install a local CA, and generate certificates signed by the CA.

1# create/install a CA
2mkcert -install
3# show where the CA key/cert are
4mkcert -CAROOT
6# create leaf certificate
7mkcert -ecdsa example.com


step-cli bundles a lot of certificate / things that need signing tools together. More verbose but also gives more control.

 1# create root ca
 2step-cli certificate certificate create $subject root.crt root.key --profile=root-ca --kty OKP --curve Ed25519
 3# install a ca
 4step-cli certificate install root.crt
 6# (optional) create intermediate ca
 7step-cli certificate certificate create $subject intr.crt intr.key --profile=intermediate-ca --kty OKP --curve Ed25519 --ca root.crt --ca-key root.key
 8# create leaf certificate
 9step-cli certificate certificate create $subject leaf.crt leaf.key --profile=leaf --kty OKP --curve Ed25519 --ca intr.crt --ca-key root.key --san example.com --san
11# view cert details
12step-cli certificate inspect cert.pem

step-cli can also do a lot more stuff, some interesting ones:


cfssl is more geared towards api use, at a minimum, you need to provide a CSR in json for it to generate keys / sign.


cert-manager is a ca thingy you run in k8s. it has a kubectl plugin to help with managing certs, a bit like cfssl, but with yaml.


openssl the sort of inconsistent thing that we're all stuck with.

 1# create root ca
 2openssl req -x509 -key <(openssl genpkey -algorithm ED25519 | tee root.key) -subj "/CN=me" -out root.crt
 4# create leaf cert
 5openssl x509 -req -in <( \
 6  openssl req -new -key <( \
 7    openssl genpkey -algorithm ED25519 | tee leaf.key \
 8  ) -subj "/CN=me" \
 9) -CA root.crt -CAkey root.key -CAcreateserial -out leaf.crt -sha256
11# view cert
12openssl x509 -in leaf.crt -text

other fun things