Dead-simple, portable generation of host self-signed x509 cert via temporary root CA.
This package provides simple, cross-platform generation of self-signed client and server TLS certs. It is intended for cases where it is infeasible to use a more complete internal CA.
See the Releases page. Download and extract the binary for your platform.
Commands below are for OSX/Linux; for Windows use gen-self-signed-cert.exe.
- Generate the CA and host certificate for your host (here,
myhost.example.com):- to create a plaintext key file
gen-self-signed-cert -host myhost.example.com
- to create a password-protected, AES-256 encrypted key file
gen-self-signed-cert -encrypt -host myhost.example.com
- to create a plaintext key file
- Send the
ca.crtfile to the system that needs to authenticate your host, and configure that system to trust your CA. For example:- For a HAProxy server performing client certificate authentication, this would be the
ca-file. - For a curl client authenticating a server, this would be the
--cacertflag, as in:curl --cacert ca.crt https://myhost.example.com
- For a HAProxy server performing client certificate authentication, this would be the
- Configure your host to use the combination of
host.crtandhost.keyto authenticate itself.- For a curl client performing client certificate authentication, these would be the
--certand--keyflags, as in:curl --cert host.crt --key host.key https://some.server.com
- For a HAProxy server terminating TLS, these would be combined into the
ssl crt /etc/ssl/xip.io/xip.io.pemfile.
- For a curl client performing client certificate authentication, these would be the