soulteary / certs-maker Goto Github PK

100% Coverage! Lightweight self-signed certificate generator, size between 1.5MB (executable) and 5MB (docker image).

Home Page: https://soulteary.com/2022/10/22/make-docker-tools-image-with-only-3md-self-signed-certificate-certs-maker.html

License: MIT License

Dockerfile 2.38% Go 97.62%

certificate certs docker openssl self-hosted ssl

certs-maker's Introduction

Hi, Want to know something?

I'm an open-source software developer and blogger, I'm often active on the Zhihu community. Since late 2022, I've been studying at an investment institution while collaborating with its partners and tech community allies to research and implement cutting-edge technologies.

I also serve as an ambassador for Dify and PerfXCloud in China. If you're interested in community partnerships, I welcome the opportunity to discuss potential collaborations. 👋

Previously, I held roles as: Open-Source Evangelist of Milvus, Technical Director of Beijing Artificial Intelligence Research Institutes Community R&D and IT, Meituan Technical Evangelist, X Financial Front End Architect, Senior Front End Development Engineer at Alibaba Cloud, Meituan, Taobao and Sina Cloud.

I often use:


Docker	Go	Node.js	JavaScript	BASH	Python	PHP

Additionally, choose programming languages and tools based on mood and performance requirements, embracing flexibility in the selection process.

I regularly share insights on Zhihu and Weibo. If you're active on these platforms, feel free to connect and engage with me.

Interested in networking? Learn more about makeing friends with me.

certs-maker's People

Contributors

Stargazers

Watchers

certs-maker's Issues

Supports rapid generation of certificates used by K8S

自制的证书如何能够让浏览器自动添加授信？

如题，对于内部系统来说，自制的证书如何在一个企业内让内部用户都使用，无须浏览器增加授信的过程？

Certificate lifetime

It looks like the default lifetime is intended to be 10 years? I would suggest making it 3652 or 3653 days to account for leap years. An option to set a custom value would be much appreciated.

$  ./certs-maker --CERT_DNS=lab.com,*.lab.com,*.data.lab.com
[soulteary/certs-maker] v3.5.0

[...]

$  openssl x509 -in ssl/lab.com.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:84:18:4f:d9:8c:07:13:1c:a6:60:c3:4b:91:c1:79:d4:c5:44:45
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = BJ, L = HD, O = Lab, OU = Dev, CN = Hello World
        Validity
            Not Before: Aug 19 20:34:15 2024 GMT
            Not After : Aug 17 20:34:15 2034 GMT

Does this program depend and build upon OpenSSL or does it implement https://pkg.go.dev/crypto/x509 ? It looks like it requires OpenSSL which isn't what I was looking for.

possible to specific output format?

Great tool, every handy.

By default it output certification in extention of .crt/.key, is that possible to output other format such as PEM?

优化建议 - 证书文件权限问题

目前生成的证书和 conf 文件的 owner 是 root ，且其他用户的权限为只读：

$ ll ssl
total 12K
-rw-r--r-- 1 root root  687 Nov 15 09:08 sb.home.conf
-rw-r--r-- 1 root root 1.4K Nov 15 09:08 sb.home.crt
-rw------- 1 root root 1.7K Nov 15 09:08 sb.home.key

某些情况下不是很便利，比如想要删除不需要的证书时，如果当前用户非 root ，需要 sudo rm 才行。

建议

通过环境变量或命令参数，传入当前用户或指定用户的 gid 和 uid，来给生成的文件赋予合适的权限
不传入时，仍保持目前的默认权限，保持后向兼容

怎么到期自动更新证书呢？

firefox 浏览器不信任自签的 CA 证书

如果 FOR_K8S 不配置，那么生成的证书将同时包含了根证书，这种证书即使添加到系统证书中， firefox 也没法信任，始终需要添加安全例外才行（错误代码: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY），其他浏览器没有这个限制，可以直接信任系统证书
- 原因在这里 https://stackoverflow.com/a/59739121 ，简要来说就是 firefox 出于安全原因，不允许信任自签名的根证书同时作为终端证书使用
而如果配置 FOR_K8S为 on ，那么生成的证书文件只包含终端证书，没有根证书，从而没法导入系统信任

因此能否提供一个选项，将自签后的根证书和终端证书都提供出来

也就是将原来的 example.com.crt 拆分为两个证书文件提供，一个终端证书，一个根证书，根证书用于添加信任，终端证书用于终端通讯

fix: run docker-compose.yml get error 'services must be a mapping'

when run

docker-compose up

get error

services must be a mapping

no create certs files

docker run --rm -it -v `pwd`/ssl:/ssl soulteary/certs-maker "--CERT_DNS=pve.he.home"

时，会报错：

running soulteary/certs-maker v2.4.2
wrong domains, set to default value: lab.com,*.lab.com,*.data.lab.com

实际生成的是域名为 lab.com 的证书

soulteary / certs-maker Goto Github PK

certs-maker's Introduction

Hi, Want to know something?

certs-maker's People

Contributors

Stargazers

Watchers

Forkers

certs-maker's Issues

Recommend Projects

Recommend Topics

Recommend Org