该所有者的项目
(etcd-ca
A simple certificate manager written in Go. Easy to use with limited capability.
DEPRECATED
etcd now uses cfssl as the official tool to generate certificates. cfssl provides more features and is well maintained. We provide an example using the tool here.
Common Uses
etcd-ca allows you to build your own certificate system:
- Create certificate authority
- Create, issue and export host certificates
- Manage host identities
- Deploy a Public Key Infrastructure
Primarly used for coreos/etcd SSL/TLS testing.
Certificate architecture
etcd-ca inits a certificate authority, and issues certificates using the authority only. It indicates the length of authorization path is at most 2.
Examples
Create a new certificate authority:
$ ./etcd-ca init
Created ca/key
Created ca/crt
Create a new host identity, including keypair and certificate request:
$ ./etcd-ca new-cert alice
Created alice/key
Created alice/csr
etcd-ca uses 127.0.0.1 for IP SAN in default. If etcd has peer address $etcd_ip other than 127.0.0.1, run ./etcd-ca new-cert -ip $etcd_ip alice instead.
If your server has mutiple ip addresses or domains, use comma seperated ip/domain list with -ip/-domain. eg: ./etcd-ca new-cert -ip $etcd_ip1,$etcd_ip2 -domain $etcd_domain1,$etcd_domain2
Sign certificate request of host and generate the certificate:
$ ./etcd-ca sign alice
Created alice/crt from alice/csr signed by ca.key
Export the certificate chain for host:
$ ./etcd-ca chain alice
----BEGIN CERTIFICATE-----
CA certificate body
-----END CERTIFICATE-----
----BEGIN CERTIFICATE-----
alice certificate body
-----END CERTIFICATE-----
Package up the certificate and key of host:
$ ./etcd-ca export alice > alice.tar
Because etcd takes unencrypted key for -key-file and -peer-key-file, you should use ./etcd-ca export --insecure alice > alice.tar to export private key.
List the status of all certificates:
$ ./etcd-ca status
ca: WARN (60 days until expiration)
alice: OK (120 days until expiration)
bob: Unsigned
Getting Started
Building
etcd-ca must be built with Go 1.3+. You can build etcd-ca from source:
$ git clone https://github.com/coreos/etcd-ca
$ cd etcd-ca
$ ./build
This will generate a binary called ./bin/etcd-ca
Examples
generate certificates for etcd
Project Details
Contributing
See CONTRIBUTING for details on submitting patches and contacting developers via IRC and mailing lists.
License
etcd-ca is under the Apache 2.0 license. See the LICENSE file for details.