A simple certificate manager written in Go. Easy to use with limited capability.
etcd now uses cfssl as the official tool to generate certificates. cfssl provides more features and is well maintained. We provide an example using the tool here.
etcd-ca allows you to build your own certificate system:
- Create certificate authority
- Create, issue and export host certificates
- Manage host identities
- Deploy a Public Key Infrastructure
Primarly used for coreos/etcd SSL/TLS testing.
etcd-ca inits a certificate authority, and issues certificates using the authority only. It indicates the length of authorization path is at most 2.
$ ./etcd-ca init
Created ca/key
Created ca/crt
$ ./etcd-ca new-cert alice
Created alice/key
Created alice/csr
etcd-ca uses 127.0.0.1 for IP SAN in default. If etcd has peer address $etcd_ip other than 127.0.0.1, run ./etcd-ca new-cert -ip $etcd_ip alice
instead.
If your server has mutiple ip addresses or domains, use comma seperated ip/domain list with -ip/-domain. eg: ./etcd-ca new-cert -ip $etcd_ip1,$etcd_ip2 -domain $etcd_domain1,$etcd_domain2
$ ./etcd-ca sign alice
Created alice/crt from alice/csr signed by ca.key
$ ./etcd-ca chain alice
----BEGIN CERTIFICATE-----
CA certificate body
-----END CERTIFICATE-----
----BEGIN CERTIFICATE-----
alice certificate body
-----END CERTIFICATE-----
$ ./etcd-ca export alice > alice.tar
Because etcd takes unencrypted key for -key-file
and -peer-key-file
, you should use ./etcd-ca export --insecure alice > alice.tar
to export private key.
$ ./etcd-ca status
ca: WARN (60 days until expiration)
alice: OK (120 days until expiration)
bob: Unsigned
etcd-ca must be built with Go 1.3+. You can build etcd-ca from source:
$ git clone https://github.com/coreos/etcd-ca
$ cd etcd-ca
$ ./build
This will generate a binary called ./bin/etcd-ca
generate certificates for etcd
See CONTRIBUTING for details on submitting patches and contacting developers via IRC and mailing lists.
etcd-ca is under the Apache 2.0 license. See the LICENSE file for details.