-
Notifications
You must be signed in to change notification settings - Fork 3
Home
Cert-Tool is a command-line application that allows you to generate cross platform self-signed certificates without having to use Powershell, Java's keytool or even worse OpenSSL.
Cert-Tool require npm to work. This can be downloaded here.
NOTE: At the time of writing, cert-tool is not available through npmjs.com -- But we are working hard to get this done, as soon as possible. See Getting Started for Installation.
Simply, git clone this repo
$ git clone git@github.com:PaperCutSoftware/cert-tool.git
Navigate to the cert-tools directory
$ cd ~/Documents/cert-tool
Install via NPM
$ npm i -g
Start using cert-tools!
$ cert-tools --help
Cert-tool is useful for simplifying an end-to-end TLS implementation.
We currently support two popular formats: PFX and PEM.
E.g You are trying to generate a certificate for a local environment (i.e. localhost or 127.0.0.1)
Simply,
$ cert-tool -t <pem|pfx> [-p <password>]
Note -- a password is required for PFX format
E.g You are trying to set up TLS between two entities on a Network
$ cert-tool -t <pem|pfx> [-p <password>] -i <IP of external server>
You can also use to a hostname:
$ cert-tool -t <pem|pfx> [-p <password>] -h <hostname of external server>
cert-tool v1.0.1
Usage: cert-tool -t <certficiate type>
Options:
--help Show help [boolean]
--version Show version number [boolean]
-f, --file The name of the certificate file(s) [string]
-t, --type The module type to generate the certificate for
[string] [required] [choices: "pem", "pfx"]
-o, --output The output directory for the certificates [string]
-c, --combined Whether to combine certificate and key in the same file(PEM
certificate type only) [boolean]
-p, --password The password for our pfx file [string]
-i, --ip Sets the IP of subject alternate name, if null it will be set
to your external IP [string]
-h, --hostname Sets the hostname of the subject alternate name [string]
C# - Using ASP.NET and Kestrel
var certificate = new X509Certificate2("certificate.pfx", "password");
var host = new WebHostBuilder()
.UseKestrel(options =>
{
options.Listen(IPAddress.Any, 5001, listenOptions =>
{
listenOptions.UseHttps(certificate);
});
}
)
.UseContentRoot(Directory.GetCurrentDirectory())
.UseStartup<Startup>()
.Build();
try
{
host.Run();
}
catch (IOException io)
{
// If we are here, something is wrong!
Console.Error.WriteLine(io.Message);
}Python - Using Bottle and Cheroot
from bottle import run
from cheroot import wsgi
from cheroot.ssl.builtin import BuiltinSSLAdapter
class SSLCherryPyServer(ServerAdapter):
def run(self, handler):
server = wsgi.Server((self.host, self.port), handler)
server.ssl_adapter = BuiltinSSLAdapter(
"certificate.pem", "key.pem")
# Restrict old TLS negotiation
server.ssl_adapter.context.options |= ssl.OP_NO_TLSv1
server.ssl_adapter.context.options |= ssl.OP_NO_TLSv1_1
try:
server.start()
finally:
server.stop()
if __name__ == "__main__":
run(host="0.0.0.0", port=5001, server=SSLCherryPyServer)-
Most browsers will complain about self-signed certificates, so to combat this you will need to add the certificate to your OS Keystore and trust it; Double click on the PEM or PFX file that gets generated -- This will add the certificate to our OS Keystore and tell your browser this is a valid certificate
-
Make sure you set it as a trusted certificate, but adding it to the Trusted CA Root in Windows or by setting 'Always Trust' in Keychain Access on Mac.
-
Testing tools like Postmam also complain about self-signed certificates, to get past issues like this you may have to disable SSL verification
-
You will need to make sure the the certificate covers all IPs/Hostnames of the server you are trying to access. At the time of writing, you can only configure the certificate to have local endpoints, as well as one one external IP and one external hostname.
-
For example, if your certificate only covers localhost and you try to access the web server through 127.0.0.1, you will get an Invalid certificate error.
If you have any questions, concerns or feedback on this tool, please don't hesitate to create an Issue or submit a Pull Request!