Awesome

certifiable

A helper tool that simplifies the creation of development time SSL certificates for use with Java Webservers like Jetty.

Sometimes you just want a simple way to generate a Java Keystore file that you can supply to a Java server so that you can enable HTTPS development on your local machine.

Certifiable creates a secure root certificate on your machine that you can trust because the root keys get deleted. It then creates a single end user certificate and keys in the form of a Java Keystore.

This is more secure than the various tools that rely on you trusting a single root certificate while retaining the roots keys to allow the creation of more local certificates. While this is convenient it certainly isn't safe.

Certifiable only relies the Java keytool command. Assuming that if Java is installed then keytool will be available as well.

Leiningen dependency information:

[com.bhauman/certifiable "0.0.7"]

clj/deps.edn information:

{:deps {com.bhauman/certifiable {:mvn/version "0.0.7"}}}

This tool was built based on this excellent shell script.

Quick Docs

Generates a local developement Java keystore that can be used
to support SSL/HTTPS connections in a Java Server like Jetty.

Usage: clj -m certifiable.main [options] [command] [hostnames and ips]

Available Commands: (if no command is supplied "create" is the default)
 create [hosts and ips]  : takes a list of hostnames and ips and creates a keystore
                           if no hostnames or ips supplied defaults to
                           localhost www.locahost 127.0.0.1
 list                    : lists the current keystores
 info [name/list idx]    : displays info on the given store name or list index
 reset                   : deletes all keystores and removes the trust for them
 remove [name/list idx]  : deletes the given keystore and removes trust for it
 help                    : prints out these instructions


Options:
  -o, --output FILE  The path and filename of the jks output file
  -h, --help
  -v                 verbose - outputs more info about keytool calls

Quick Start Command Line Usage

Make sure you have the Clojure tools installed

Then to generate a certificate execute the following:

$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.7"}}}' -m certifiable.main

[Certifiable] Generating root and ca keypairs
[Certifiable] Generating root certificate: ~/_certifiable_certs/localhost-1d070e4/dev-root-trust-this.pem
[Certifiable] Generating ca certificate signed by root
[Certifiable] Importing root and ca chain into ca.jks keystore
[Certifiable] Deleted trusted root certificate keys: ~/_certifiable_certs/localhost-1d070e4/dev-root.jks
[Certifiable] Generate private keys for server
[Certifiable] Generate a certificate for server signed by ca
[Certifiable] Importing complete chain into keystore at: ~/_certifiable_certs/localhost-1d070e4/dev-server.jks
[Certifiable] Deleted intermediate certificate authority keys: ~/_certifiable_certs/localhost-1d070e4/intermediate-certificate-authority.jks
[Certifiable] Generated Java Keystore file: ~/_certifiable_certs/localhost-1d070e4/dev-server.jks
[Certifiable] Attempting to add root certificate to MacOS login keychain.
[Certifiable] Cert "Certifiable dev root (localhost-1d070e4)" successfully added to MacOS login keychain!
[Certifiable] Attempting to add root certificate to Firefox nss trust store.
[Certifiable] Cert "Certifiable dev root (localhost-1d070e4) 756891964" successfully added to Firefox trust store!
--------------------------- Setup Instructions ---------------------------
Local dev Java keystore generated at: ~/_certifiable_certs/localhost-1d070e4/dev-server.jks
The keystore type is: "JKS"
The keystore password is: "password"
The root certificate is: ~/_certifiable_certs/localhost-1d070e4/dev-root-trust-this.pem
For System: root certificate is trusted
For Firefox: root certificate is trusted
Example SSL Configuration for ring.jetty.adapter/run-jetty:
{:ssl? true,
 :ssl-port 9533,
 :keystore
 "~/_certifiable_certs/localhost-1d070e4/dev-server.jks",
 :key-password "password"}

The file ~/_certifiable_certs/localhost-1d070e4/dev-root-trust-this.pem needs to be trusted by your operating system and Firefox directly in order to avoid the not trusted browser warnings.

On MacOS the above command will ask to have the generated certificate imported into your keychain as a trusted certificate.

This command will also create a default Java Keystore for localhost, www.localhost and 127.0.0.1 at ~/_certifiable_certs/localhost-1d070e4/dev-server.jks that you can supply to a Clojure webserver like ring.jetty.adapter like so:

(require '[ring.adapter.jetty :refer [run-jetty]]

(run-jetty (fn [req] {:status 200 :content-type "text/plain" :body "Hi"}))
  {:join? false
   :port 9500
   :ssl? true
   :ssl-port 9533
   :keystore "[home-dir]/_certifiable_certs/localhost-1d070e4/dev-server.jks"
   :key-password "password"})

The password for the keystore is always password.

If everything worked properly and you have trusted the root certificate then visiting https://localhost:9533, https://www.localhost:9533 and https://127.0.0.1:9533 should all work.

Specify custom local domain

If you want your HTTPS server to be available on particular local domain (I.E. example.test) first make sure you have the domain added it to your /etc/hosts file. After you have done that you can call:

$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.7"}}}' -m certifiable.main create example.test localhost 127.0.0.2

That command will generate a new local development certifiable with a custom the Subject Alternative Name section that includes both example.test, localhost and 127.0.0.2.

Listing and getting info on available keystores

The list command will list available keystores

$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.7"}}}' -m certifiable.main list
Keystores found in directory:  /Users/bhauman/_certifiable_certs
1. localhost-1d070e4  [localhost, www.localhost, 127.0.0.1]
2. localhost-8464661  [localhost, 127.0.0.1]
3. test.localhost-8496962  [test.localhost, 127.0.0.1]

You can get more info on a specific cert with the info command which takes and index from the list command or the name of the keystore as an arg.

$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.7"}}}' -m certifiable.main info 1
{:created #inst "2020-06-26T17:13:54.285-00:00",
 :domains ["localhost" "www.localhost"],
 :stable-name "localhost-1d070e4",
 :ips ["127.0.0.1"],
 :password "password",
 :root-pem-path
 "/Users/bhauman/_certifiable_certs/localhost-1d070e4/dev-root-trust-this.pem",
 :server-keystore-path
 "/Users/bhauman/_certifiable_certs/localhost-1d070e4/dev-server.jks"}

And with a keystore name:

$ clj -m certifiable.main info test.localhost-8496962
{:created #inst "2020-06-26T17:22:07.307-00:00",
 :domains ("test.localhost"),
 :stable-name "test.localhost-8496962",
 :ips ["127.0.0.1"],
 :password "password",
 :root-pem-path
 "/Users/bhauman/_certifiable_certs/test.localhost-8496962/dev-root-trust-this.pem",
 :server-keystore-path
 "/Users/bhauman/_certifiable_certs/test.localhost-8496962/dev-server.jks"}

Output Java KeyStore file to a specific location

If you would like to output .jks file to a certain path you can supply a -o or --output option like so:

$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.7"}}}' -m certifiable.main -o dev-example.jks create

Debugging

If a command isn't executing correctly you can use the -v option to print out all the calls to keytool.

Reseting

If you get to a point where things aren't working you can use the reset command and it will clear out the root and ca certificates and allow you to start from scratch.

$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.7"}}}' -m certifiable.main reset

Help

Using the help command or -h option with display all possible CLI options.

Other tools/inspiration

• mkcert - A simple zero-config tool to make locally trusted development certificates with any names you'd like.

Why use certifiable over mkcert?

mkcert is a robust, well maintained, and popular tool. mkcert creates one root certificate and then keeps the keys for that certificate on your machine so it can create more leaf certificates from a single trusted root. This is potentially hazardous as you have trusted a root certificate that someone may be able to obtain the keys for, allowing an attacker to create trusted certificates for arbitrary sites like google.com. certifiable trades off ease of use for safety, it creates a new root certificate for each leaf certificate and then deletes all the keys for the root certificates. This requires you to trust each root certificate individually but guarantees that no new certificates can be created for that trusted root.

License

Copyright © 2020 Bruce Hauman

Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.