Home

Awesome

TL;DR

This is an opinionated single-file TLS certificate manager. It has no dependencies on any other external tool such as openssl. It is a simpler replacement for openssl(1).

Features

Building certik

You will need a fairly recent golang toolchain (>1.10):

$ git clone https://github.com/opencoff/certik
$ cd certik
$ ./build -s

The build script puts the binary in a platform specific directory:

And so on. The build script can generate a fully standalone statically-linked binary on platforms that support it. To build statically linked binaries, use build -s.

You can also do cross-platform builds for any supported OS, Arch combination supported by the golang toolchain. e.g., on macOS, to build a statically linked binary for linux-amd64 architecture:

$ ./build -s --arch linux-amd64

Invoking certik

The common pattern for invoking certik is:

certik DB CMD [options] [arguments]

Where:

The tool writes the certificates, keys into an encrypted boltdb instance.

The tool comes with builtin help:

$ ./bin/openbsd-amd64/certik --help

Every subcommand comes with its own help; but, requires you to at least supply a database name as the first argument. e.g.,

$ ./bin/openbsd-amd64/certik foo.db server --help

Common Workflows

In what follows, we will assume that you have built certik and installed somewhere in your $PATH.

Initialize a new CA

Before any certificates are generated, one must first create a CA and initialize the certificate DB:

$ certik -v foo.db init my-CA

You can optionally initialize a CA from a previously exported JSON dump:

$ certik -v foo.db init --from-json FILE

You can see the generated CA certificate via two ways:

  1. Using -v for the certik's global options
  2. Using the list command with the --root-ca option.

In general, using the -v global option when generating the CA, server or client certificates will print the certificate to stdout at the end.

The CA can be initialized with additional data such as Organization Name, Organization Unit Name etc. See init --help for additional details.

The default lifetime of the CA is 5 years; you can change this via the -V (--validity) option to "init".

Create a TLS server certificate & key pair

An TLS server needs a few things:

Creating a new server certificate/key pair:

$ certik -v foo.db server -i IP.ADDR.ES server.domain.name

Of course, you should use the appropriate values for IP.ADDR.ES and server.domain.name for your setup.

The IP Address and Server FQDN show up in the certificate as Certificate.IPAddress and Certificate.Sibject.CommonName. Additionally, the server FQDN also shows up in Certificate.DNSNames.

You can request the server certificate to have a different validity via the V (--validity) option; this option takes the value in units of years.

You can of course create as many server certificates as needed.

Create a TLS client (user) certificate & key pair

An TLS client certificate is quite simple - it just needs a common name. For convenience, you may use the email address as the common Name.

$ certik -v foo.db client user@domain.name

You can ask the client private key to be encrypted with a user supplied passphrase by using the -p or --password option to the client command. You can request the client certificate to have a different validity via the V (--validity) option; this option takes the value in units of years.

Delete a certificate & key from the Cert Database

Once in a while you will want to delete users and prevent them from connecting to the TLS server. E.g.,

$ certik -v foo.db delete user@domain.name user2@domain

This only deletes the users from the certificate DB. You still need to generate a new CRL (Certificate Revocation List) and push it to your server. See the next workflow.

Generate a CRL from Revoked Certificates

Once a user is deleted from the system, you will need to generate a new CRL and push it to the server. The command to generate a new CRL:

$ certik -v foo.db crl -o crl.pem

This write the PEM encoded CRL to crl.pem. You must copy this file to the OpenVPN server and reload (or restart) it.

You can also just view a full list of revoked users:

$ certik foo.db crl --list

See list of certificates managed by this CA

To see a list of certificates in the database:

$ certik foo.db list

Exporting a Certificate & Key

While the tool manages certificates, for use in a TLS client or server, we need to export the CA certificate, server certificate and key. To export a certificate & key configuration:

$ certik foo.db export server.domain.name
$ certik foo.db export user@domain.name

This prints the PEM encoded cert & key to stdout. To write each to a separate file:

$ certik foo.db export server.domain.name -o server

This will write the certificate into server.crt and key to server.key.

Exporting the CA Certificate

The CA certificate anchors the root of trust; so, the TLS Server and Client both need the CA Certificate. One exports it like so:

$ certik foo.db export --ca -o ca.crt

TODO

Development Notes

If you wish to hack on this, notes here might be useful.

The code is organized as a library & command line frontend for that library.

Guide to Source Code