slawek/lab-ca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity
Files
8114d667ec92d043bbb4a38adf9eb9ea31dcd1c4
lab-ca/README.md

6.8 KiB
Raw Blame History

Lab CA

This repository contains a simple CLI tool for managing a Certificate Authority (CA).

It is designed to be easy to use and provides a basic set of CA features:

  • Create a CA and a self-signed CA certificate
  • Create and sign common types of certificates:
    • Server certificate
    • Client certificate
    • Code signing certificate
    • Email certificate
  • Revoke a certificate
  • List issued certificates
  • Create a CRL (Certificate Revocation List)

NOTE: Certificate types can be combined (e.g. server,client).

Usage

The tool is used from the command line. It has a simple command structure:

lab-ca <command> [options]

The main commands available are:

  • initca — Initialize a new CA and create a self-signed CA certificate and key.
  • issue — Issue a new certificate signed by the CA (single certificate, command-line options).
  • provision — Provision multiple certificates from a batch file (HCL) in one go.
  • revoke — Revoke a certificate by name or serial number.
  • crl — Generate a Certificate Revocation List (CRL) from revoked certificates.
  • list — List issued certificates (optionally including revoked).
  • version — Show version information for the tool.

Run the command with -h or --help or without any arguments to see usage information. Each command has its own set of options, arguments, and a help message.

CA Initialization

Create a new CA configuration file (HCL):

ca "example_ca" {
  name = "Example CA"
  country = "US"
  organization = "ACME Corp"
  key_size = 4096
  validity = "10y"

  paths {
    certificates = "certs"
    private_keys = "private"
    state_file   = "ca_state.json"
  }
}
  • The ca block's label is used as a logical name for the CA and for the default state file name.
  • The paths block defines where certificates, private keys, and the CA state file are stored.
  • On Linux/macOS, the private keys directory is created with 0700 permissions.
  • The command does not encrypt private keys. Do not use in production.

Listing Certificates

List all issued (non-revoked) certificates:

lab-ca list

To include revoked certificates:

lab-ca list --revoked

Issuing a Certificate

Issue a new certificate from the command line:

lab-ca issue --name <name> [--subject <subject>] [--type <type>] [--validity <period>] [--san <SAN> ...] [--overwrite] [--dry-run] [--verbose]
  • --name (required): Name for the certificate and key files (used as subject if --subject is omitted)
  • --subject: Subject Common Name or full DN (optional, defaults to --name)
  • --type: Certificate type: client, server, code-signing, email (comma-separated for multiple usages; default: server)
  • --validity: Validity period (e.g. 2y, 6m, 30d; default: 1y)
  • --san: Subject Alternative Name (repeatable; e.g. dns:example.com, ip:1.2.3.4, email:user@example.com)
  • --overwrite: Allow overwriting existing files
  • --dry-run: Validate and show what would be created, but do not write files
  • --verbose: Print detailed information

Provisioning Certificates (Batch)

Provision multiple certificates from a batch file (HCL):

lab-ca provision --file <certificates.hcl> [--overwrite] [--verbose]

Example HCL Provisioning File

defaults {
    subject = "{{ .Name }}.example.org"
    type = "server,client"
    validity = "1y"
    san = ["DNS:{{ .Name }}.example.org"]
}

variables = {
    Domain = "example.net"
    Country = "EX"
}

certificate "service1" {
    # from default: subject = "{{ .Name }}.example.org"
    # from default: type = "server,client"
    # from default: validity = "1y"
    # from default: san = ["DNS:service1.example.org"]
}

certificate "service2" {
    subject = "{{ .Name }}.{{ .Domain }}" # result: service2.example.net
    san = ["DNS:{{ .Name }}.{{ .Domain }}"] # result: [ "DNS:service2.example.net" ]
}

certificate "service3" {}

certificate "user1" {
    subject = "CN=User One,emailAddress=user1@example.org,O=Example,C=US"
    type = "client,email"
    validity = "1y"
    san = ["email:user1@example.net"]
}
  • The defaults block provides default values for all certificates unless overridden.
  • The variables map can be used in Go template expressions in any field.
  • Each certificate block defines a certificate to be issued. The block label is available as {{ .Name }} in templates.
  • Fields:
    • subject: Subject string (can be a template)
    • type: Comma-separated usages (server, client, code-signing, email)
    • validity: Validity period (e.g. 1y, 6m, 30d)
    • san: List of SANs (e.g. DNS:..., IP:..., email:...)

Revoking a Certificate

Revoke a certificate by name or serial number:

lab-ca revoke --name <name> [--reason <reason>]
lab-ca revoke --serial <serial> [--reason <reason>]
  • --reason can be one of: unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL (default: cessationOfOperation)

Generating a CRL

Generate a Certificate Revocation List (CRL) from revoked certificates:

lab-ca crl [--crl-file <path>] [--validity-days <days>]
  • --crl-file: Output path for CRL file (default: crl.pem)
  • --validity-days: CRL validity in days (default: 30)

Version

Show version information:

lab-ca version

Configuration and Templates

  • All configuration and provisioning files use HCL (HashiCorp Configuration Language).
  • Go template syntax is supported in subject, san, and other string fields. The following variables are available:
    • .Name: The certificate name (from the block label)
    • Any key from the variables map

Example:

subject = "{{ .Name }}.{{ .Domain }}"
san = ["DNS:{{ .Name }}.{{ .Domain }}"]

Certificate Types and SANs

  • server: For server certificates. SANs should be DNS or IP.
  • client: For client certificates. SANs can be email or DNS.
  • email: For S/MIME/email certificates. SANs should be email.
  • code-signing: For code signing certificates.

The tool checks that SANs are valid for the selected certificate type(s). Certificate usage can be combined (e.g. server,client).

Example: Real-World Provisioning File

See examples/example-certificates.hcl for a more advanced provisioning file with templates and variables.

Building the Tool

The repository includes a build.sh script to build the CLI tool. It updates the version in version.go and builds the binary.

To ignore changes made to version.go in Git, you can run:

git update-index --assume-unchanged version.go

Notes

  • The tool does not encrypt private keys. Protect your private keys directory.
  • Not intended for production use.
  • For more information about HCL, see: https://github.com/hashicorp/hcl