GitXplorerGitXplorer
j

certissuer

public
0 stars
0 forks
2 issues

Commits

List of commits on branch main.
Unverified
374a8c9faea116d2cb7b9f6133527930c34b3cfa

update deps, build universal binary on macos

jjulian7 committed 2 years ago
Unverified
8227b86614230b3d5e2e0b28f9fac02a3048b438

upgrade urfave/cli to 2.11.0

jjulian7 committed 3 years ago
Unverified
1f10d66e4442e9e1e127e21cf7445e1a4052aaab

Bump github.com/urfave/cli/v2 from 2.8.1 to 2.11.0

ddependabot[bot] committed 3 years ago
Unverified
55dcc491c09f96a510178152af142188b1ebcf52

release v0.1.0

jjulian7 committed 3 years ago
Unverified
a18a03d9b6ea056295028ed899e26a2293a49253

update dependencies

jjulian7 committed 3 years ago
Unverified
81ff7bcbd6b5c462ca2f058a68dac9c234dc27f1

Bump github.com/urfave/cli/v2 from 2.3.0 to 2.8.1

ddependabot[bot] committed 3 years ago

README

The README file for this repository.

certissuer

This little tool can issue certificates from Hashicorp Vault. Originally, it has been written to guarantee certificate refresh (which didn't happen sometimes using automatic refresh capabilities of various Vault-aware tools), but it comes handy in a lot of situations.

Usage

certissuer [global options]

where global options can be:

  • --address | -A : Vault URL address (default: $VAULT_ADDR). Required.
  • --token | -T : Vault token (default: $VAULT_TOKEN). Required.
  • --cn | -C : common name used in issued certificate. Required.
  • --pki | -P : PKI mount in Vault. Required.
  • --role | -R : PKI role in Vault. Required.
  • --ip | -i : add an IP-based Subject Alternative Name
  • --alt | -a : add a DNS name-based Subject Alternative Name
  • --ttl | -t : expiration duration. Sent to the server verbatim (default: 50h)
  • --ssldir | -d : Directory to put certificates to (default: /etc/ssl)
  • --no-verify | -k: Skips TLS verification while communicating to Vault (default: $VAULT_SKIP_VERIFY)
  • --format | -n : Certificate format (see later). Default: "well-known"
  • --help: shows help
  • --version: shows version

Formats

Certissuer can emit certificates in formats suit their purpose: providing certificates for HAProxy is different than doing it for NGINX. You can prefer storing all the certificates in a shared directory, or you might want to do it just how Certbot does.

Therefore, certissuer provides three formats:

  • well-known: every cert goes into its own directory, and each data goes into their own well-known file name. Eg. CA goes into ca.pem, leaf certificate goes into cert.pem, certificate and intermediate certs go to fullcert.pem, and private key goes to privkey.pem. This is the default.
  • named: this format saves full certificate chain (leaf and intermediate certificates concatenated) into <CN>.pem, and private key goes into <CN>.key.
  • haproxy: this format generates a single file called <CN>.pem, containing leaf and intermediate certificates, and private key concatenated together.

Any issues?

Open a ticket, perhaps a pull request. We support GitHub Flow. You might want to fork this project first.

Code of Conduct

Small utilities are not commonly gather large communities, but we still require that discursion should be civil. Therefore, we adapt Contributor Covenant's Code of Conduct for this project.

Licensing

SPDX-License-Identifier: BlueOak-1.0.0 OR MIT

This software is licensed under two licenses of your choice: Blue Oak Public License 1.0, or MIT Public License.