README
¶
Easy CA CLI
Table Of Contents
- What is easy-ca-cli?
- Features
- Installation
- Docker image
- Usage
- Troubleshooting
- Related Projects
- CHANGELOG
- LICENSE
What is easy-ca-cli?
The easy-ca-cli is a fast, simple certificate generation utility built in Go.
It serves as a command-line interface to the core easy-ca library, providing an accessible way to generate various certificate types with customizable parameters.
Features
The CLI offers a comprehensive set of features for certificate generation:
Supported Key Algorithms
| Algorithm | Flag | Options |
|---|---|---|
| RSA | --rsa |
Key size: --rsa-keysize (2048, 3072, 4096) |
| ECDSA | --ecdsa |
Curve: --ecdsa-curve (P224, P256, P384, P521) |
| ED25519 | --ed25519 |
No additional options |
Certificate Types and Generation
- Certificate Authority (Root CA)
- Intermediate Certificate Authority (Intermediate CA)
- TLS/Server Certificates
- Support for certificate chains
- PKCS8 format for private keys
- PKCS12 format for the key pair
- Customizable output paths
Customizable Certificate Information
- Subject fields: C, O, OU, CN, Serial Number, L, ST, Postal Code
- Subject Alternative Name (SAN)
- DNS names
- IP addresses
- Validity period configuration
Installation
easy-ca-cli binaries are provided for Linux, macOS and Windows.
Recommended
curl -sSfL https://get.lolico.me/easy-ca-cli | sh -s -- -b /usr/local/bin
Install script options:
-b: Specify a custom installation directory (defaults to./bin)-d: More verbose logging levels (-dfor debug,-ddfor trace)-v: Verify the signature of the downloaded artifact before installation (requires cosign to be installed)
Manual
You can download and extract the latest release from GitHub Releases Page
Guided installation steps
Here we use macOS (Darwin) on the arm64 architecture as an example for installation.
-
Download these files for your version from the GitHub Releases Page
- tarball:
easy-ca-cli_$version_darwin_arm64.tar.gz - checksums (optional):
easy-ca-cli_$version_sha256_checksums.txt - signature (optional):
easy-ca-cli_$version_sha256_checksums.txt.sig - certificate (optional):
easy-ca-cli_$version_sha256_checksums.txt.pem
- tarball:
-
(Optional) Verifying the signature of your downloaded checksums file
If you chose to manually download the tarball file in the above steps, you can use the following steps to verify the signatures and checksums by using the cosign and sha256sum tool.
# Your downloaded version (without prefix `v`) # Example: version=1.4.0 # 1. Verify the signature of checksum file cosign verify-blob easy-ca-cli_${version}_sha256_checksums.txt \ --certificate easy-ca-cli_${version}_sha256_checksums.txt.pem \ --signature easy-ca-cli_${version}_sha256_checksums.txt.sig \ --certificate-identity "https://github.com/c3b2a7/easy-ca-cli/.github/workflows/cd.yml@refs/tags/v${version}" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" # 2. Verify the tarball’s checksums sha256sum --ignore-missing --check easy-ca-cli_${version}_sha256_checksums.txt -
Unpack tarball
-
Confirm the version with the following command
easy-ca-cli --version
Building From Source
go install github.com/c3b2a7/easy-ca-cli@latest
Docker image
easy-ca-cli are also available as a Docker image. For example:
docker run --rm -i ghcr.io/c3b2a7/easy-ca-cli:latest
[!TIP] You can mount volumes using the
-voption, e.g.-v <host_path>:<container_path>, so it's easier to access the generated certificates and keys.
docker run -v ./data:/data --rm -i ghcr.io/c3b2a7/easy-ca-cli:latest gen ca --rsa \
--subject "/C=CN/O=Easy CA/OU=IT Dept./CN=Easy CA Root" \
--out-key /data/ca_key.pem --out-cert /data/ca_cert.pem
Multiple versions are available on ghcr.io.
Usage
The CLI provider gen ca and gen tls commands for certificate generation, you can run easy-ca-cli help [command] for more information about a command and its flags.
Here are some basic examples of how to use easy-ca-cli.
Creating a Certificate Authority (CA)
The following command creates a self-signed root CA certificate using ECDSA with the P384 curve:
easy-ca-cli gen ca --ecdsa --ecdsa-curve P384 \
--subject "/C=CN/O=Easy CA/OU=IT Dept./CN=Easy CA Root" \
--start-date "2025-01-01 12:00:00" --days 3650 \
--out-key ca_key.pem --out-cert ca_cert.pem
This command:
- Uses the
ECDSAalgorithm withP384curve - Sets the certificate subject information
- Makes the certificate valid from January 1, 2025 for 10 years (3650 days)
- Outputs the private key to
ca_key.pemand the certificate toca_cert.pem
Generating an Intermediate CA
To create an intermediate CA signed by your root CA:
easy-ca-cli gen ca --ed25519 \
--subject "/C=CN/O=Easy CA/OU=IT Dept./CN=Easy CA Intermediate" \
--start-date "2025-01-01 13:00:00" --days 1825 \
--issuer-key ca_key.pem --issuer-cert ca_cert.pem \
--out-key intermediate_key.pem --out-cert intermediate_cert.chain.pem
This command:
- Creates an intermediate CA using the
ed25519algorithm - References the root CA's private key and certificate for signing
- Outputs a certificate chain in
intermediate_cert.chain.pemthat includes both the intermediate CA and root CA certificates
Generating a TLS Certificate
To create a TLS certificate signed by your intermediate CA:
easy-ca-cli gen tls --rsa --rsa-keysize 4096 \
--subject "/C=CN/O=Example Inc/OU=Web Services/CN=example.com" \
--host "example.com,www.example.com,192.168.1.100" \
--start-date "2025-01-01 14:00:00" --days 365 \
--issuer-key intermediate_key.pem --issuer-cert intermediate_cert.chain.pem \
This command:
- Uses the
RSAalgorithm with 4096-bit key size - Sets the certificate subject and Subject Alternative Names (SANs) for multiple domains and an IP address
- Makes the certificate valid for 1 year
- References the intermediate CA for signing
- Outputs generated certificate and private key by default file name, if flags are not specified.
Troubleshooting
Common Issues
| Issue | Solution |
|---|---|
| "Command not found" error | Ensure the binary is in a directory listed in your PATH environment variable |
| Permission denied | Make sure the binary is executable (chmod +x easy-ca-cli) |
| Incompatible architecture | Download the binary that matches your system architecture (amd64/arm64) |
Getting Help
If you encounter issues not covered in this guide, you can:
- Check the GitHub repository for open issues
- Open a new issue if your problem hasn't been reported
Related Projects
- easy-ca: The core library that provides the certificate generation functionality
- cobar: A powerful framework for creating modern CLI applications with nested commands
CHANGELOG
See CHANGELOG.md
LICENSE
Easy CA CLI is released under the MIT license. See LICENSE
Documentation
¶
Overview ¶
Copyright © 2023 c3b2a <[email protected]>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Source Files
Directories