Lib.rs

Cryptography | Authentication
#tls-certificates #certificate-chain #certificate #ca #tls #mkcert

bin+lib myca

TLS certificate chain generator

by tbro

2 unstable releases

0.2.0 Oct 9, 2023
0.1.0 Oct 7, 2023

#2380 in Cryptography

Custom license

34KB
704 lines

myca

My CA is a developer tool to generate TLS certificate chains. It is meant to be used in developer workflow, and can currently generate certificate chain consisting of 1 Root CA and 1 end-entity certificate, along with private keys. End-entity will be signed by Root CA.

features

  • easy
  • tested
  • flexible

installation

Easiest method is currently cargo install myca. You can also clone this repo and build it with cargo build.

usage

Having compiled the binary you can simply pass a path to output generated files.

myca -o output/dir/

I the output directory you will find these files:

  • cert.pem (end-entity's X509 certificate, signed by root-ca's key)
  • cert.key.pem (end-entity's private key)
  • root-ca.pem (ca's self-signed x509 certificate)
  • root-ca.key.pem (ca's private key)

The root-ca.key.pem is only present in case you want to do something later with it like sign more end-entity certificates. If you plan on using these files as anything more than temporary throw away secrets for testing/development, you should be very careful what you do with it. If you don't need it, destroy it.

or with cargo run

cargo run -- -o output/dir

You can then use this same tool to view the output certificate's (or any x509 certificate) contents.

myca --parse path/to/cert.pem

For complete list of supported options:

myca --help

FAQ

What signature schemes are available?

  • pkcs_ecdsa_p256_sha256
  • pkcs_ecdsa_p384_sha384
  • pkcs_ed25519
  • pkcs_rsa_sha256
  • pkcs_rsa_sha384
  • pkcs_rsa_sha512

Why can't my client authenticate with server?

Make sure you pass --clientauth when generating certificate for client authentication.

How do I use this for mutual authentication?

Essentially, run myca twice. Copy root-ca.pem to the authticator and copy cert.pem and cert.key.pem to the thing desiring authentication. That is probably not a very good explanation. Let me think about it and ask again later.

justification

Self-signed certificates are great, but they don't allow you to test authentication. Openssl wrapped in bash is great, but you have to know many things to output a valid certificate chain. As your application evolves, your collection of bash scripts may become large and difficult to maintain. This tool is mean to be easy enough to generate a valid certificate chain by only supplying a directory to output them into, and flexible enough that you can easily modify the parameters you need.

Dependencies

~17MB
~399K SLoC