certainly(1) -- create self-signed certificates with ease
==========================================================
## SYNOPSIS
certainly [`--std` | `--reverse-std` | `--double-std`] [`--rsa`] [`--ca` <name>] [`--client`] <domain> [<domain>...]
certainly [`--std` | `--reverse-std` | `--double-std`] [`--rsa`] `--make-ca` <name>
certainly --inspect <certificate or url>
## DESCRIPTION
Creates a self-signed certificate and key with one or more domains associated.
By default, files named after the first domain given are written in the current directory, but flags can be passed to output to standard pipes instead.
With the `--ca` option, issues a certificate signed by a "CA" instead. The CA certificate/key pair can be created with _certainly_ as well.
The inspect option instead reads a certificate file (or fetches it from a remote site) and outputs terse information about it: whether it's self-signed, its dates, and the domains it covers.
Files are written and read in PEM format. On Unix, file are written with 0600 permissions.
By default, generates ECDSA keys on the P-256 curve.
## OPTIONS
* <domain>:
A domain to add to the certificate. The first such domain will also be the certificate's _common name_. IPv4 and v6 addresses are also supported.
* `--std`:
Outputs first the key then the certificate to STDOUT.
* `--reverse-std`:
Outputs first the certificated then the key to STDOUT.
* `--double-std`:
Outputs the key to STDERR, and the certificate to STDOUT. This is useful to write both files to a custom location efficiently, such as: `certainly --double-std domain.test > test.crt 2> test.key`.
* `--client`:
Creates a client certificate instead of a server certificate.
* `--rsa`:
Generates RSA keys instead of the default ECDSA. Key length is 4096.
* `--ca` <name>:
Uses the certificate/key pair _<name>.crt_ and _<name>.key_ to sign the created certificate instead of self-signing.
* `--make-ca` <name>:
Creates a certificate/key pair suitable for issuing instead of a web certificate.
* `--inspect` <certificate>:
Reads the <certificate> (in PEM format), prints some information about it, and exits. Alternatively takes a URL or domain or IP address.
## EXAMPLES
Create a self-signed certificate for test.domain:
$ certainly test.domain
Writing test.domain.key
Writing test.domain.crt
Create a self-signed certificate for several domains:
$ certainly test.domain test.place test.pizza
Writing test.domain.key
Writing test.domain.crt
Output a new key and certificate:
$ certainly --std test.app
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2yn3kvq3WzJv8F+V
BxZ+HCo73JQ7ABUrDDvBpUpexlehRANCAAR4gwky7IoIAdKwd3jSs7/VfrR0AsN9
LwYp0O988ZWGYhN+Dko7KuSrtYJ/kVBs+5iQnH2uK2OXKqpv5T8X/pUR
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICPzCCAeWgAwIBAgIUPQ+Sy8RPt2gt5jW5wS6FRIydakkwCgYIKoZIzj0EAwQw
QTELMAkGA1UEBhMCWloxCzAJBgNVBAgMAkFBMRIwEAYDVQQKDAlDZXJ0YWlubHkx
ETAPBgNVBAMMCHRlc3QuYXBwMB4XDTE4MDkwNTIxMTM1N1oXDTI4MDkwMjIxMTM1
N1owQTELMAkGA1UEBhMCWloxCzAJBgNVBAgMAkFBMRIwEAYDVQQKDAlDZXJ0YWlu
bHkxETAPBgNVBAMMCHRlc3QuYXBwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
eIMJMuyKCAHSsHd40rO/1X60dALDfS8GKdDvfPGVhmITfg5KOyrkq7WCf5FQbPuY
kJx9ritjlyqqb+U/F/6VEaOBujCBtzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF
4DAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwZgYDVR0jBF8wXaFFpEMw
QTELMAkGA1UEBhMCWloxCzAJBgNVBAgMAkFBMRIwEAYDVQQKDAlDZXJ0YWlubHkx
ETAPBgNVBAMMCHRlc3QuYXBwghQ9D5LLxE+3aC3mNbnBLoVEjJ1qSTATBgNVHREE
DDAKggh0ZXN0LmFwcDAKBggqhkjOPQQDBANIADBFAiBbaxLKxwnSWZy/3VzOOASs
9lz8YQWzc7NCESXzZTAHuAIhAOFKSelBXJEBsNLCtS86JNEvya+3XPWAL9R+O1jp
WMna
-----END CERTIFICATE-----
Write a key and certificate to custom locations:
$ certainly --double-std test.space 2> moon-key.pem > moon-cert.pem
Show some information about a certificate:
$ certainly --inspect test.ninja.crt
Self-signed certificate
Created on: 2018-09-05 21:17:47 UTC
Expires on: 2028-09-02 21:17:47 UTC
Domains:
DNS: test.ninja
DNS: test.green
EMAIL: test@red.link
DNS: test.technology
DNS: rofl.lmao.lol
IPV4: 1.2.3.4
Show some information about google's certificate:
$ certainly --inspect google.com
Certificate signed by Google Internet Authority G3
Created on: 2018-09-18 12:34:00 UTC
Expires on: 2018-12-11 12:34:00 UTC
Domains:
DNS: *.google.com
DNS: *.android.com
DNS: *.appengine.google.com
DNS: *.cloud.google.com
DNS: *.g.co
(... many more domains ...)
Use OpenSSL to view all information about a certificate:
$ openssl x509 -text -in test.wtf.crt
Certificate:
Data:
Version: 3 (0x2)
(... much more data ...)
Create a CA pair and sign a new certificate:
$ certainly --make-ca ca.test
Writing ca.test.key
Writing ca.test.crt
$ certainly --ca ca.test test.party
Writing test.party.key
Writing test.party.crt
$ certainly --inspect test.party.crt
Certificate signed by ca.test
Created on: 2018-09-06 01:41:25 UTC
Expires on: 2028-09-03 01:41:25 UTC
Domains:
DNS: test.party
## DETAILS
Certificates are generated with a common subject of:
* C (Country): `ZZ`
* ST (State): `AA`
* O (Organisation): `Certainly Subjecting`
They use elliptical curve cryptography using `prime256v1`, hashed with `SHA-512`.
This generates small files (easier to inspect and manipulate) and uses algorithms that are well supported by modern tools (browsers, servers, etc) while being up-to-date with security best practices.
In some legacy cases, should you absolutely need to, the `--rsa` flag instead uses 4096-bit RSA keys.
## ENVIRONMENT VARIABLES
The distinguished name details can be controlled using the following variables:
* `CERTAINLY_C`
* `CERTAINLY_ST`
* `CERTAINLY_O`
* `CERTAINLY_OU`
## AUTHOR
FĂ©lix Saparelli <https://passcod.name>
Licensed under the _Artistic License 2.0_.