certainly 1.8.0

The easiest way to create self-signed certificates. Ever.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198

certainly(1) -- create self-signed certificates with ease
==========================================================

## SYNOPSIS

certainly [`--std` | `--reverse-std` | `--double-std`] [`--ecdsa` | `--ed25519` | `--rsa`] [`--ca` <name>] [`--client`] <domain> [<domain>...]

certainly [`--std` | `--reverse-std` | `--double-std`] [`--ecdsa` | `--ed25519` | `--rsa`] `--make-ca` <name>

certainly --inspect <certificate or url>

## DESCRIPTION

Creates a self-signed certificate and key with one or more domains associated.

By default, files named after the first domain given are written in the current directory, but flags can be passed to output to standard pipes instead.

With the `--ca` option, issues a certificate signed by a "CA" instead. The CA certificate/key pair can be created with _certainly_ as well.

The inspect option instead reads a certificate file (or fetches it from a remote site) and outputs terse information about it: whether it's self-signed, its dates, and the domains it covers.

Files are written and read in PEM format. On Unix, file are written with 0600 permissions.

By default, generates ECDSA keys on the P-256 curve.

## OPTIONS

* <domain>:
A domain to add to the certificate. The first such domain will also be the certificate's _common name_. IPv4 and v6 addresses are also supported.

* `--std`:
Outputs first the key then the certificate to STDOUT.

* `--reverse-std`:
Outputs first the certificated then the key to STDOUT.

* `--double-std`:
Outputs the key to STDERR, and the certificate to STDOUT. This is useful to write both files to a custom location efficiently, such as: `certainly --double-std domain.test > test.crt 2> test.key`.

* `--client`:
Creates a client certificate instead of a server certificate.

* `--ecdsa`:
Generates ECDSA keys (default). Use this option in scripts when you require an ECDSA key as the default may change.

* `--ed25519`:
Generates ED25519 keys.

* `--rsa`:
Generates RSA keys. Key length is 4096. This is slow and the RSA implementation has not been audited; do not use for production or security.

* `--ca` <name>:
Uses the certificate/key pair _<name>.crt_ and _<name>.key_ to sign the created certificate instead of self-signing.

* `--make-ca` <name>:
Creates a certificate/key pair suitable for issuing instead of a web certificate.

* `--inspect` <certificate>:
Reads the <certificate> (in PEM format), prints some information about it, and exits. Alternatively takes a URL or domain or IP address.

## EXAMPLES

Create a self-signed certificate for test.domain:

    $ certainly test.domain
    Writing test.domain.key
    Writing test.domain.crt

Create a self-signed certificate for several domains:

    $ certainly test.domain test.place test.pizza
    Writing test.domain.key
    Writing test.domain.crt

Output a new key and certificate:

    $ certainly --std test.app
    -----BEGIN PRIVATE KEY-----
    MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2yn3kvq3WzJv8F+V
    BxZ+HCo73JQ7ABUrDDvBpUpexlehRANCAAR4gwky7IoIAdKwd3jSs7/VfrR0AsN9
    LwYp0O988ZWGYhN+Dko7KuSrtYJ/kVBs+5iQnH2uK2OXKqpv5T8X/pUR
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIICPzCCAeWgAwIBAgIUPQ+Sy8RPt2gt5jW5wS6FRIydakkwCgYIKoZIzj0EAwQw
    QTELMAkGA1UEBhMCWloxCzAJBgNVBAgMAkFBMRIwEAYDVQQKDAlDZXJ0YWlubHkx
    ETAPBgNVBAMMCHRlc3QuYXBwMB4XDTE4MDkwNTIxMTM1N1oXDTI4MDkwMjIxMTM1
    N1owQTELMAkGA1UEBhMCWloxCzAJBgNVBAgMAkFBMRIwEAYDVQQKDAlDZXJ0YWlu
    bHkxETAPBgNVBAMMCHRlc3QuYXBwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
    eIMJMuyKCAHSsHd40rO/1X60dALDfS8GKdDvfPGVhmITfg5KOyrkq7WCf5FQbPuY
    kJx9ritjlyqqb+U/F/6VEaOBujCBtzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF
    4DAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwZgYDVR0jBF8wXaFFpEMw
    QTELMAkGA1UEBhMCWloxCzAJBgNVBAgMAkFBMRIwEAYDVQQKDAlDZXJ0YWlubHkx
    ETAPBgNVBAMMCHRlc3QuYXBwghQ9D5LLxE+3aC3mNbnBLoVEjJ1qSTATBgNVHREE
    DDAKggh0ZXN0LmFwcDAKBggqhkjOPQQDBANIADBFAiBbaxLKxwnSWZy/3VzOOASs
    9lz8YQWzc7NCESXzZTAHuAIhAOFKSelBXJEBsNLCtS86JNEvya+3XPWAL9R+O1jp
    WMna
    -----END CERTIFICATE-----

Write a key and certificate to custom locations:

    $ certainly --double-std test.space 2> moon-key.pem > moon-cert.pem

Show some information about a certificate:

    $ certainly --inspect test.ninja.crt
    [Local]  C=ZZ, O=Certainly, OU=test.ninja from kaydel-ko, CN=test.ninja
    Issuer:  C=ZZ, O=Certainly, OU=test.ninja from kaydel-ko, CN=test.ninja

    Created on:   Sun Sep 15 01:15:29 2019
    Expires on:   Sun Sep 15 01:15:29 2029

    Domains:
     DNS: test.ninja
     DNS: test.green
     EMAIL: test@red.link
     DNS: test.technology
     DNS: rofl.lmao.lol
     IPV4: 1.2.3.4

    To see more: $ openssl x509 -text -in test.ninja.crt

Show some information about google's certificate:

    $ certainly --inspect google.com
    [Remote] C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com
    Issuer:  C=US, O=Google Trust Services, CN=GTS CA 1O1

    Chain:
     Subject: C=US, O=Google Trust Services, CN=GTS CA 1O1
     Issuer:  OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign

    Created on:   Sun Aug 23 10:28:57 2019
    Expires on:   Sun Nov 21 10:28:57 2019

    Domains:
     DNS: *.google.com
     DNS: *.android.com
     DNS: *.appengine.google.com
     DNS: *.cloud.google.com
     DNS: *.crowdsource.google.com
     DNS: *.g.co
    (... many more domains ...)

    To see more: $ echo Q | openssl s_client google.com:443

Create a CA pair and sign a new certificate:

    $ certainly --make-ca ca.test
    Writing ca.test.key
    Writing ca.test.crt

    $ certainly --ca ca.test test.party
    Writing test.party.key
    Writing test.party.crt

    $ certainly --inspect test.party.crt
    [Local]  C=ZZ, O=Certainly, OU=test.party from kaydel-ko, CN=test.party
    Issuer:  C=ZZ, O=Certainly, OU=ca.test from kaydel-ko, CN=ca.test

    Created on:   Sun Sep 15 01:20:44 2019
    Expires on:   Sun Sep 15 01:20:44 2029

    Domains:
     DNS: test.party

    To see more: $ openssl x509 -text -in test.party.crt

## DETAILS

Certificates are generated with a common subject of:

* C (Country): `ZZ`

* ST (State): `AA`

* O (Organisation): `Certainly`

They use elliptical curve cryptography using `prime256v1` hashed with `SHA-256` by default.

This generates small files (easier to inspect and manipulate) and uses algorithms that are well supported by modern tools (browsers, servers, etc) while being up-to-date with security best practices.

In some legacy cases, should you absolutely need to, the `--rsa` flag instead uses 4096-bit RSA keys.

ED25519 keys are also available with the `--ed25519` flag, and produce even smaller keys, but such keys are not well supported by tools at time of writing.

## ENVIRONMENT VARIABLES

The distinguished name details can be controlled using the following variables:

* `CERTAINLY_C`
* `CERTAINLY_O`
* `CERTAINLY_OU`

## AUTHOR

FĂ©lix Saparelli <https://passcod.name>

Licensed under the _Artistic License 2.0_.