A simple certificate manager written in Go. Easy to use with limited capability.
etcd-ca allows you to build your own certificate system:
- Create certificate authority
- Create, issue and export host certificates
- Manage host identities
- Deploy a Public Key Infrastructure
Primarly used for coreos/etcd SSL/TLS testing.
etcd-ca inits a certificate authority, and issues certificates using the authority only. It indicates the length of authorization path is at most 2.
Create a new certificate authority:
$ ./etcd-ca init Created ca/key Created ca/crt
Create a new host identity, including keypair and certificate request:
$ ./etcd-ca new-cert alice Created alice/key Created alice/csr
etcd-ca uses 127.0.0.1 for IP SAN in default. If etcd has peer address $etcd_ip other than 127.0.0.1, run
./etcd-ca new-cert --ip $etcd_ip alice instead.
Sign certificate request of host and generate the certificate:
$ ./etcd-ca sign alice Created alice/crt from alice/csr signed by ca.key
Export the certificate chain for host:
$ ./etcd-ca chain alice ----BEGIN CERTIFICATE----- CA certificate body -----END CERTIFICATE----- ----BEGIN CERTIFICATE----- alice certificate body -----END CERTIFICATE-----
Package up the certificate and key of host:
$ ./etcd-ca export alice > alice.tar
Because etcd takes unencrypted key for
-peer-key-file, you should use
./etcd-ca export --insecure alice > alice.tar to export private key.
List the status of all certificates:
$ ./etcd-ca status ca: WARN (60 days until expiration) alice: OK (120 days until expiration) bob: Unsigned
etcd-ca must be built with Go 1.2+. You can build etcd-ca from source:
$ git clone https://github.com/coreos/etcd-ca $ cd etcd-ca $ ./build
This will generate a binary called
See CONTRIBUTING for details on submitting patches and contacting developers via IRC and mailing lists.
etcd-ca is under the Apache 2.0 license. See the LICENSE file for details.