golang x-ca client, which can simple Sign Self Root/Second-Level CA, and sign for Domains and IPs.
shell implement at x-ca/x-ca
curl -Lfs -o xca https://github.com/x-ca/go-ca/releases/latest/download/xca-{linux|darwin|windows}-{amd64|arm64|s390x|ppc64le}
chmod +x xca
mv xca /usr/local/bin/
$ xca --help
Create Root CA and TLS CA:
xca -create-ca true \
-root-cert x-ca/ca/root-ca.crt \
-root-key x-ca/ca/root-ca/private/root-ca.key \
-tls-cert x-ca/ca/tls-ca.crt \
-tls-key x-ca/ca/tls-ca/private/tls-ca.key \
-tls-chain x-ca/ca/tls-ca-chain.pem
Sign Domains or Ips:
xca -cn xxxx \
--domains "xxx,xxx" --ips "xxx,xxx" \
-tls-cert x-ca/ca/tls-ca.crt \
-tls-key x-ca/ca/tls-ca/private/tls-ca.key \
-tls-chain x-ca/ca/tls-ca-chain.pem
Usage:
-cn string
sign cert common name.
-create-ca
Create Root CA.
-domains string
Comma-Separated domain names.
-help
show help message
-ips string
Comma-Separated IP addresses.
-root-cert string
Root certificate file path, PEM format. (default "x-ca/ca/root-ca.crt")
-root-key string
Root private key file path, PEM format. (default "x-ca/ca/root-ca/private/root-ca.key")
-tls-cert string
Second-Level certificate file path, PEM format. (default "x-ca/ca/tls-ca.crt")
-tls-chain string
Root/Second-Level CA Chain file path, PEM format. (default "x-ca/ca/tls-ca-chain.pem")
-tls-key string
Second-Level private key file path, PEM format. (default "x-ca/ca/tls-ca/private/tls-ca.key")
-tls-key-password string
tls key password, only work for load github.com/x-ca/x-ca.
-version
show version info.
Source Code:
https://github.com/x-ca/go-ca
- create ca
xca -create-ca true \
-root-cert x-ca/ca/root-ca.crt \
-root-key x-ca/ca/root-ca/private/root-ca.key \
-tls-cert x-ca/ca/tls-ca.crt \
-tls-key x-ca/ca/tls-ca/private/tls-ca.key
install x-ca/ca/root-ca.crt and x-ca/ca/tls-ca.crt to trust Your CA.
- or use x-ca
mkdir path
git clone git@github.com:x-ca/ca.git x-ca
- sign domain
xca -cn xiexianbin.cn \
--domains "*.xiexianbin.cn,*.80.xyz" \
--ips 100.80.0.128 \
-tls-cert x-ca/ca/tls-ca.crt \
-tls-key x-ca/ca/tls-ca/private/[tls-ca.key | tls-ca-des3.key]
- test cert
docker run -it -d \
-p 8443:443 \
-v $(pwd)/examples/default.conf:/etc/nginx/conf.d/default.conf \
-v $(pwd)/x-ca/certs/xiexianbin.cn/xiexianbin.cn.bundle.crt:/etc/pki/nginx/server.crt \
-v $(pwd)/x-ca/certs/xiexianbin.cn/xiexianbin.cn.key:/etc/pki/nginx/private/server.key \
nginx
visit https://dev.xiexianbin.cn:8443/
if CA Cert begin with BEGIN ENCRYPTED PRIVATE KEY(raise Error: fromPEMBytes: x509: no DEK-Info header in block),
Use openssl rsa -in root-ca.key -des3 change cipher