Skip to content

rkosegi/pkitool

Repository files navigation

PKI tool for lazy people

This is CLI tool to manipulate certificates and private keys in single directory, most notably it can create root CA, intermediate CA and leaf certificates (+ private keys), quite easily.

It exists because using openssl to achieve something similar is waste of time (or am I the only one using it wrong way?).

This tool can do only very basic things, mainly to support test activities around PKI use cases (read I need TLS cert of some sort).

Example

I want root CA, intermediate CA and 2 leaf certs for my web servers.

  • root CA

     ./dist/pkitool create ca --years 10 --alias rootCA --subject-common-name "Root of all evil" --subject-organization "My evil organization"

    Now you got rootCA.pem and rootCA.key in current directory. Nice.

  • intermediate CA

     pkitool create ca --years 5 --intermediate --parent rootCA --alias imCA --subject-common-name "evil child" --subject-organization "My evil organization"
  • leaf 1

     pkitool create leaf --years 2 --parent imCA --alias server1 --subject-common-name "server1" --subject-organization "My evil organization"
  • leaf 2

     pkitool create leaf --years 2 --parent imCA --alias server2 --subject-common-name "server2" --subject-organization "My evil organization"

Wanna SANs? just append --dns-san server1.acme.tld or --ip-san 192.168.10.31 when creating leaf certificate.

Show me what was created

pkitool list
+--------------------------------+--------------------------------+-------------------------------+
|            SUBJECT             |             ISSUER             |           VALID TO            |
+--------------------------------+--------------------------------+-------------------------------+
| CN=evil child,O=My evil        | CN=Root of all evil,O=My evil  | 2029-03-02 13:28:37 +0000 UTC |
| organization                   | organization                   |                               |
| CN=Root of all evil,O=My evil  | CN=Root of all evil,O=My evil  | 2034-03-02 13:28:34 +0000 UTC |
| organization                   | organization                   |                               |
| CN=server1,O=My evil           | CN=evil child,O=My evil        | 2026-03-02 13:28:43 +0000 UTC |
| organization                   | organization                   |                               |
| CN=server2,O=My evil           | CN=evil child,O=My evil        | 2026-03-02 13:31:59 +0000 UTC |
| organization                   | organization                   |                               |
+--------------------------------+--------------------------------+-------------------------------+

More detail, please

pkitool show --alias server2
+--------------------------+---------------------------------------------------+
|         PROPERTY         |                       VALUE                       |
+--------------------------+---------------------------------------------------+
| Basic constraints valid? | true                                              |
| Ext. key usage           | ExtKeyUsageClientAuth,ExtKeyUsageServerAuth       |
| Is CA?                   | false                                             |
| Issuer                   | CN=evil child,O=My evil                           |
|                          | organization                                      |
| Key usage                | KeyUsageDigitalSignature,KeyUsageDataEncipherment |
| Public exponent          | 65537                                             |
| Serial                   | 0                                                 |
| Subject                  | CN=server2,O=My evil                              |
|                          | organization                                      |
| Valid from               | 2024-03-02 13:31:59 +0000 UTC                     |
| Valid to                 | 2026-03-02 13:31:59 +0000 UTC                     |
+--------------------------+---------------------------------------------------+