|
1 week ago | |
---|---|---|
lib | 1 week ago | |
stubs | 1 week ago | |
tests | 1 week ago | |
.gitignore | 2 weeks ago | |
LICENSE.txt | 1 week ago | |
Makefile | 1 week ago | |
README.md | 1 week ago | |
certified.py | 1 week ago | |
cheat-sheet.md | 1 week ago | |
echo.py | 1 week ago | |
mypy.ini | 2 weeks ago | |
poetry.lock | 1 week ago | |
pyproject.toml | 1 week ago |
Certified is a small CLI tool for generating a TLS self-signed ("TOFU") ECC certificate and private key, suitable for using in small distributed networks, like gemini.
Two ECC formats are supported:
It's possible to use the openssl toolchain to create self-signed ECC certificates using curve 25519: check out the first reference link for a great explanation and example. But I think these tools are written for people who live, breathe, and swim in the world of X.509 arcana. This app is meant to demonstrate an imagined world where we don't care about hierarchical certificate authorities, or going through a three-step process to request and then confirm a request for a certificate to ourselves from ourselves, when that certificate is little more than a gold filigree doily wrapped around a public key.
You can just run this script, a bit over 500 lines of python, to generate the public/private key pair, and wrap them in the ceremony that makes them palatable to the TLS 1.3 infrastructure. Feel free to copy this code and its ideas for your own projects, subject only to the Apache 2.0 license.
You need a basic python 3 installation, and poetry.
Clone this repository, and then:
poetry install
If you have some other preferred way of dealing with python packages, all of the dependencies are listed in pyproject.toml
. They are:
./certified.py --help
# create a new Ed25519 certificate in "myserver-x509-cert.pem" (and its
# private key in "myserver-x509-key.pem") with the CN "myserver", that will
# expire in 365 days:
./certified.py -g myserver-x509 --name myserver --days 365
# show the contents of the certificate:
./certified.py -p myserver-x509-cert.pem
# show the contents of the private key (_including the private key data_):
./certified.py -k myserver-x509-key.pem
# dump out the ASN.1 structure of any random pem file (if you like exploring):
./certified.py --pp myserver-x509-key.pem
Try it out by running the test program echo.py
, which will start a snarky echo service over TLS on a local socket and tell you how to connect to it with openssl s_client
. Type a line of text through s_client
and if it's echoed back to you, congratulations! You have a certificate and key file that can be used in a TLS service!
./echo.py -c myserver-x509
Note that LibreSSL won't work here, because they haven't implemented Ed25519 certificate support yet. If you're on OS X, where LibreSSL is masquerading as openssl, you can install the real openssl via "brew" and run it from /usr/share/opt/openssl/bin/openssl
.
Apache 2.0 license, included in LICENSE.txt
.