google / easypki Goto Github PK

Creating a certificate authority the easy way

License: Apache License 2.0

Go 98.17% Shell 0.65% Nginx 1.18%

easypki's Introduction

easypki

Easy Public Key Infrastructure intends to provide most of the components needed to manage a PKI, so you can either use the API in your automation, or use the CLI.

API

For the latest API:

import "gopkg.in/google/easypki.v1"

Legacy API

API below pkg/ has been rewritten to allow extensibility in terms of PKI storage and better readability.

If you used the legacy API that was only writing files to disk, a tag has been applied so you can still import it:

import "gopkg.in/google/easypki.v0"

CLI

Current implementation of the CLI uses the local store and uses a structure compatible with openssl, so you are not restrained.

# Get the CLI:
go get github.com/google/easypki/cmd/easypki


# You can also pass the following through arguments if you do not want to use
# env variables.
export PKI_ROOT=/tmp/pki
export PKI_ORGANIZATION="Acme Inc."
export PKI_ORGANIZATIONAL_UNIT=IT
export PKI_COUNTRY=US
export PKI_LOCALITY="Agloe"
export PKI_PROVINCE="New York"

mkdir $PKI_ROOT

# Create the root CA:
easypki create --filename root --ca "Acme Inc. Certificate Authority"

# In the following commands, ca-name corresponds to the filename containing
# the CA.

# Create a server certificate for blog.acme.com and www.acme.com:
easypki create --ca-name root --dns blog.acme.com --dns www.acme.com www.acme.com

# Create an intermediate CA:
easypki create --ca-name root --filename intermediate --intermediate "Acme Inc. - Internal CA"

# Create a wildcard certificate for internal use, signed by the intermediate ca:
easypki create --ca-name intermediate --dns "*.internal.acme.com" "*.internal.acme.com"

# Create a client certificate:
easypki create --ca-name intermediate --client --email [email protected] [email protected]

# Revoke the www certificate.
easypki revoke $PKI_ROOT/root/certs/www.acme.com.crt

# Generate a CRL expiring in 1 day (PEM Output on stdout):
easypki crl --ca-name root --expire 1

You will find the generated certificates in $PKI_ROOT/ca_name/certs/ and private keys in $PKI_ROOT/ca_name/keys/

For more info about available flags, checkout out the help easypki -h.

Disclaimer

This is not an official Google product.

easypki's People

Contributors

Stargazers

Watchers

Forkers

lordnynex reelsense rjmcguire theckman alexxnica ipaste sksundaram-learning caivega gredinger kantapithm kryndex rchicoli charlieyqin nanbo99 keshl svaroqui fedwallet grzchr15 qxiang88 mhdonnelly gitdm seedickcode kfiras goldenzero guillemcanal andrewrothstein vguitar30 udyvish nol98 acohn mveplus vmlintu-nosto tingyuz kell05 agileinsider tyagian lichnak securasu bianhezhen chrepl awesome-security ronyitc junaid18183 theoweiss houey securewebsite deineagenturug the-locksmith scramble-suit freek vtky edillmann jpicht fantomascz zeus911 torrentalle backwardn michaeltcoelho aroaming samuar efx-pxt1 borud peterbourgon zglzglak47 pavlo johncylee johannwagner williamcolbert cardil navisidhu etsangsplk ddzzj ciresh cyb3rcrypt nasrullo brimworks orcatools dschowta neotim pdkkid karthikpatil-creator exfly denysvitali isabella232 5l1v3r1 fn-code vinaynpp mainnika ad3m3r5 test-mass-forker-org-1 pavelkrolevets ericlin0122 et7f3 cfievez dwimberger tf-185 iq-scm bartoua ghas-results peterchiu222

easypki's Issues

Unable to install Debian

I guess I am missing something obvious.

root@lamp /tmp/pki# go get github.com/google/easypki/pkg/easypki

github.com/google/easypki/pkg/easypki

/go/src/github.com/google/easypki/pkg/easypki/easypki.go:87: privateKey.Public undefined (type *rsa.PrivateKey has no field or method
Public)
/go/src/github.com/google/easypki/pkg/easypki/template.go:53: genReq.Template.MaxPathLenZero undefined (type *x509.Certificate has no
field or method MaxPathLenZero)

Use of hardlinks

Greetings,

We like to keep our pki offline. Given that some folks are Linux, and others are Mac, the best format to use (most unfortunately) is FAT32. That has a problem with hard-links. Do we really need to store things both within the hierarchy and flat? If not, we could have an option to make the hard-links or not, but then we need to look in the same place for files (right now, if the hardlink fails, you can't read the signing key, for example).

If not, could we make a copy rather than a hardlink (yes, wasteful, I know, but we are talking about small bits of data).

Thoughts?

[UNMAINTAINED]

Note that this repo is not anymore maintained.

Import CA cert to browser

I'm trying to import CA cert for browser, the step:

Import CA+chain.crt in your favorite browser.
of the README.md of the example of ClientAuth.

However i got the error on Chrome:

The Private Key for this Client Certificate is missing or invalid.

Signing CSR

Hello,

congrats on the project, I think something like this is widely needed.

It would be great though, if it were possible to sign CSRs.

Regards
Alexander

too many errors

Hi, I'm a newbie in go and I want to use the cli of this repository on centos 7
As stated in the README file, I executed the command line go get github.com/google/easypki/cmd/easypki which is supposed to get the cli. But I'm getting this huge error stack
I'm using go version 1.15.2

[root@localhost opt]# go get github.com/google/easypki/cmd/easypki
# github.com/google/easypki/cmd/easypki
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:52:37: cannot slice c.Args() (type cli.Args)
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:126:14: cannot range over c.Args() (type cli.Args)
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:159:5: app.Author undefined (type *cli.App has no field or method Author)
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:160:5: app.Email undefined (type *cli.App has no field or method Email)
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:171:17: cannot use cli.StringFlag literal (type cli.StringFlag) as type cli.Flag in slice literal:
        cli.StringFlag does not implement cli.Flag (Apply method has pointer receiver)
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:175:4: unknown field 'EnvVar' in struct literal of type cli.StringFlag
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:184:4: cannot use r.revoke (type func(*cli.Context)) as type cli.ActionFunc in field value
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:189:4: cannot use r.crl (type func(*cli.Context)) as type cli.ActionFunc in field value
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:191:16: cannot use cli.IntFlag literal (type cli.IntFlag) as type cli.Flag in slice literal:
        cli.IntFlag does not implement cli.Flag (Apply method has pointer receiver)
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:196:5: cannot use caNameFlag (type cli.StringFlag) as type cli.Flag in slice literal:
        cli.StringFlag does not implement cli.Flag (Apply method has pointer receiver)
/root/go/src/github.com/google/easypki/cmd/easypki/main.go:196:5: too many errors

If I'm doing things wrong please provide how to build the project.

easypki doesn't allow you to create intermediate CAs

Hey there,

I was looking to use easypki to create a CA that has the intent of becoming an offline root CA. When I went to begin creating intermediate certificates from the root CA, it became apparent that easypki lacked the ability to do so. At the same time, I noticed easypki also doesn't allow you to set the MaxDepthLen, which is something you may want on a root CA and probably on an intermediate.

I've preempted the CONTRIBUTING.md file, slightly, by making modifications to easypki to unblock myself. Because of there only being certain fields available in the *x509.Certificate struct, I believe this does require a breaking change in the API. It is mildly convenient because GenerateCertifcate is missing an i in certificate anyhow, so we can also fix that typo!

For the user, I've implemented the above as two flags:

--intermediate - tells easypki to generate an intermediate
--max-depth-len - sets the pathLenConstraint in the Basic Constrains standard extension

I'm happy to open a PR if you'd like to see the implementation or I am happy to discuss it more in this issue.

easypki doesn't give server certs ExtKeyUsageClientAuth

While in the process of rolling out my CA I discovered an issue with the certificates being generated by easypki. I was trying to use certificates generated by easypki within Consul, but I kept getting errors indicating the certificate did not have the correct usage extensions. Upon inspection one of my organization's commercial certificates I noticed that it had both ServerAuth and ClientAuth.

I've fixed this bug in the same branch that adds the functionality requested in #2. If you'd like it separate from that I'd be happy to cherry-pick the work.

"go get" fails with "too many errors"

When using either go1.13.4 and go1.12.13 linux/amd64 builds from https://golang.org/dl/ on Ubuntu 18.04, running:

go get github.com/google/easypki/cmd/easypki

Results in:

# github.com/google/easypki/cmd/easypki
go/src/github.com/google/easypki/cmd/easypki/main.go:52:37: cannot slice c.Args() (type cli.Args)
go/src/github.com/google/easypki/cmd/easypki/main.go:126:14: cannot range over c.Args() (type cli.Args)
go/src/github.com/google/easypki/cmd/easypki/main.go:159:5: app.Author undefined (type *cli.App has no field or method Author)
go/src/github.com/google/easypki/cmd/easypki/main.go:160:5: app.Email undefined (type *cli.App has no field or method Email)
go/src/github.com/google/easypki/cmd/easypki/main.go:171:17: cannot use cli.StringFlag literal (type cli.StringFlag) as type cli.Flag in array or slice literal:
	cli.StringFlag does not implement cli.Flag (Apply method has pointer receiver)
go/src/github.com/google/easypki/cmd/easypki/main.go:175:4: unknown field 'EnvVar' in struct literal of type cli.StringFlag
go/src/github.com/google/easypki/cmd/easypki/main.go:184:4: cannot use r.revoke (type func(*cli.Context)) as type cli.ActionFunc in field value
go/src/github.com/google/easypki/cmd/easypki/main.go:189:4: cannot use r.crl (type func(*cli.Context)) as type cli.ActionFunc in field value
go/src/github.com/google/easypki/cmd/easypki/main.go:191:16: cannot use cli.IntFlag literal (type cli.IntFlag) as type cli.Flag in array or slice literal:
	cli.IntFlag does not implement cli.Flag (Apply method has pointer receiver)
go/src/github.com/google/easypki/cmd/easypki/main.go:196:5: cannot use caNameFlag (type cli.StringFlag) as type cli.Flag in array or slice literal:
	cli.StringFlag does not implement cli.Flag (Apply method has pointer receiver)
go/src/github.com/google/easypki/cmd/easypki/main.go:196:5: too many errors

easypki should add ExtKeyUsageAny extension for CAs

When troubleshooting certificate chain issues with the CA generated by easypki and Consul, I ran in to the following Hashicorp/Vault issue regarding an issue with CAs it was generating:

hashicorp/vault#846

In short, without the ExtKeyUsageAny extension the Go runtime was failing to validate the certificate chain. The suggested change by the Vault developers was to change Vault to give the CAs the ExtKeyUsageAny extension.

I've found/fixed this bug while working on my branch that implements the functionality in #2.

Cert Expiration

Is there a way to set the certificate expiration?