Skip to content

feat: add mTLS CA and client certificate generation flow #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jfut merged 1 commit into from
May 6, 2026
Merged

feat: add mTLS CA and client certificate generation flow #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 42 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,28 @@
![Tag](https://img.shields.io/github/tag/jfut/sslcert-cli.svg)
[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)

sslcert-cli is a command line tool that create SSL certificate files such as a private key, CSR, and CRT.
`sslcert-cli` is a command line tool that creates SSL certificate files such as a private key, CSR, and CRT, and also supports generating mTLS private CA and client certificates.

## Usage

```bash
sslcert-cli 1.1.0
sslcert-cli 1.2.0

Create SSL certificate files such as a private key, CSR, and CRT.
Create SSL certificate files such as a private key, CSR, and CRT, and also support generating mTLS private CA and client certificates.

Usage:
sslcert-cli [-f] [-o OUTPUT_DIR] [-l KEY_BIT_LENGTH] [-p KEY_PASS_PHRASE] [-s SUBJECT] [-S] [-A SUBJECT_ALT_NAMES] [-D EXPIRE_DAYS] -n FQDN

sslcert-cli -m mtls [-f] [-o OUTPUT_DIR] [-l KEY_BIT_LENGTH] [-p KEY_PASS_PHRASE] [-s SUBJECT] [-D EXPIRE_DAYS] -n CA_NAME
sslcert-cli -m mtls -i [-f] [-o OUTPUT_DIR] [-l KEY_BIT_LENGTH] [-p KEY_PASS_PHRASE] [-s SUBJECT] [-R CA_DIR] [-k CA_KEY_FILE] [-r CA_CRT_FILE] [-P MTLS_CA_KEY_PASS_PHRASE] [-A SUBJECT_ALT_NAMES] [-D EXPIRE_DAYS] -n CLIENT_NAME

sslcert-cli -c FQDN_CSR_FILE
sslcert-cli -c FQDN_CRT_FILE
sslcert-cli -C FQDN_CRT_FILE

Default options:
-o Output directory (default: FQDN/YYYY-MM-DD/)
-l Key bit length (default: 2048)
-d Expiration date of self-signed certificate file (default: 365)
-D Expiration days of certificate file (default: 365)

Examples:
Create private key and CSR files:
Expand All @@ -37,20 +41,49 @@ Examples:
Create private key and CSR files in a specific output directory:
sslcert-cli -o /path/to/output/ -n example.org

Create private key and CSR files in a specific output directory with overwrite:
Create private key and CSR files in a specific output directory with overwrite enabled:
sslcert-cli -o /path/to/output/ -n example.org -f

Create private key, CSR and self-signed CRT files with an expiration date of 3650 days:
sslcert-cli -n example.org
sslcert-cli -n example.org \
-s "/C=JP/ST=Tokyo/L=Shinjuku-ku/O=Example Corporation/OU=Example Group/CN=example.org/emailAddress=ssladmin@example.org" \
-S -A "*.example.org,example.com" \
-D 3650

# mTLS

Create mTLS private CA only:
MTLS_CA_KEY_PASS_PHRASE=$(read -s -p "MTLS_CA_KEY_PASS_PHRASE: " MTLS_CA_KEY_PASS_PHRASE; echo ${MTLS_CA_KEY_PASS_PHRASE})
sslcert-cli -m mtls -P "${MTLS_CA_KEY_PASS_PHRASE}" -n mtls.example.com \
-s "/C=JP/ST=Tokyo/L=Shinjuku-ku/O=Example Corporation/OU=Example Group/CN=mtls.example.com" -D 36500

Create mTLS client certificate by auto-detecting CA files from directory:
MTLS_CA_KEY_PASS_PHRASE=$(read -s -p "MTLS_CA_KEY_PASS_PHRASE: " MTLS_CA_KEY_PASS_PHRASE; echo ${MTLS_CA_KEY_PASS_PHRASE})
MTLS_CLIENT_KEY_PASS_PHRASE=$(read -s -p "MTLS_CLIENT_KEY_PASS_PHRASE: " MTLS_CLIENT_KEY_PASS_PHRASE; echo ${MTLS_CLIENT_KEY_PASS_PHRASE})
sslcert-cli -m mtls -i -n client1.mtls.example.com \
-R mtls.example.com/YYYY-MM-DD/ \
-P "${MTLS_CA_KEY_PASS_PHRASE}" \
-p "${MTLS_CLIENT_KEY_PASS_PHRASE}" \
-D 36500
# If both client and CA pairs exist, *-mtls-ca.key/crt is preferred automatically.
# If -o is specified together with -R, the -o path is used as the output directory.

Create mTLS client certificate with existing private CA:
MTLS_CA_KEY_PASS_PHRASE=$(read -s -p "MTLS_CA_KEY_PASS_PHRASE: " MTLS_CA_KEY_PASS_PHRASE; echo ${MTLS_CA_KEY_PASS_PHRASE})
MTLS_CLIENT_KEY_PASS_PHRASE=$(read -s -p "MTLS_CLIENT_KEY_PASS_PHRASE: " MTLS_CLIENT_KEY_PASS_PHRASE; echo ${MTLS_CLIENT_KEY_PASS_PHRASE})
sslcert-cli -m mtls -i -n client1.example.com \
-k mtls.example.com/YYYY-MM-DD/private-ca.key -r /path/to/private-ca.crt \
-P "${MTLS_CA_KEY_PASS_PHRASE}" \
-p "${MTLS_CLIENT_KEY_PASS_PHRASE}" \
-D 36500

# Check

Check CSR file:
sslcert-cli -c example.org.csr

Check CRT file:
sslcert-cli -c example.org.crt
sslcert-cli -C example.org.crt

Server configuration examples:
Apache:
Expand All @@ -59,7 +92,7 @@ Server configuration examples:
SSLCertificateChainFile /path/to/example.org.ca.crt

nginx:
ssl_certificate /path/to/example.org.crt;
ssl_certificate /path/to/example.org.fullchain.crt;
ssl_certificate_key /path/to/example.org.key;
```

Expand Down
Loading
Loading