diff options
| author | Jeremy Clerc <jclerc@google.com> | 2017-02-17 11:15:40 +0100 |
|---|---|---|
| committer | Jeremy Clerc <jclerc@google.com> | 2017-02-17 11:15:40 +0100 |
| commit | d7ae2721b8268b1e2880656504f41d4ae94c902b (patch) | |
| tree | 7d38cfb72f8a710b1be234d220cca058f55814ff | |
| parent | dd4d79f910a302184cc1a4a135c4cb5d44eccd68 (diff) | |
| download | easypki-d7ae2721b8268b1e2880656504f41d4ae94c902b.tar.xz | |
Update README to match current state of the CLI.
| -rw-r--r-- | README.md | 96 |
1 files changed, 48 insertions, 48 deletions
@@ -1,86 +1,86 @@ [](https://travis-ci.org/google/easypki) [](https://codecov.io/gh/google/easypki) -[](https://godoc.org/github.com/google/easypki) easypki ====== -Easypki attempts to make managing a Certificate Authority very easy. -Serial, index, etc, are formatted in a way to be compatible with openssl, -so you can use openssl for commands not implemented by easypki. - -# Usage +Easy Public Key Infrastructure intends to provide most of the components needed +to manage a PKI, so you can either use the API in your automation, or use the +CLI. -Easypki usage is straighforward: +# API -1. Init the directory you will use -2. Create the CA -3. Create certificates +[](https://godoc.org/github.com/google/easypki) -Create an env.sh that you can source later (or add to your .bashrc) +For the latest API: ``` -export PKI_ROOT=/tmp/pki -export PKI_ORGANIZATION="Umbrella Corp" -export PKI_ORGANIZATIONAL_UNIT=IT -export PKI_COUNTRY=US -export PKI_LOCALITY="Agloe" -export PKI_PROVINCE="New York" +import "gopkg.in/google/easypki.v1" ``` -Before being able to create you certificates, you need to `init` the root directory. -It creates files and directories required by easypki. +## Legacy API -``` -mkdir $PKI_ROOT -easypki init -``` +API below pkg/ has been rewritten to allow extensibility in terms of PKI +storage and better readability. -Args passed to create make the Common Name, here: "Umbrella Corp Global Authority" +If you used the legacy API that was only writing files to disk, a tag has been +applied so you can still import it: ``` -easypki create --ca Umbrella Corp Global Authority +import "gopkg.in/google/easypki.v0" ``` -Then you can choose between server and client certificate, by default server is implied, to generate a client certificate add `--client` +# CLI -Generate a wildcard certificate for your web apps: +Current implementation of the CLI uses the local store and uses a structure +compatible with openssl, so you are not restrained. ``` -easypki create --dns "*.umbrella.com" *.umbrella.com -``` +# Get the CLI: +go get github.com/google/easypki/cmd/easypki -Another example, a certificate for wiki and www: -``` -easypki create --dns "www.umbrella.com" --dns "wiki.umbrella.com" www.umbrella.com -``` +# You can also pass the following through arguments if you do not want to use +# env variables. +export PKI_ROOT=/tmp/pki +export PKI_ORGANIZATION="Acme Inc." +export PKI_ORGANIZATIONAL_UNIT=IT +export PKI_COUNTRY=US +export PKI_LOCALITY="Agloe" +export PKI_PROVINCE="New York" -For more info about available flags, checkout out the help `-h` +mkdir $PKI_ROOT -You will find the generated cert in `issued` and private key in `private` +# Create the root CA: +easypki create --filename root --ca "Acme Inc. Certificate Authority" -# API +# In the following commands, ca-name corresponds to the filename containing +# the CA. -For the latest API: +# Create a server certificate for blog.acme.com and www.acme.com: +easypki create --ca-name root --dns blog.acme.com --dns www.acme.com www.acme.com -``` -import "gopkg.in/google/easypki.v1" -``` +# Create an intermediate CA: +easypki create --ca-name root --filename intermediate --intermediate "Acme Inc. - Internal CA" -## Legacy API +# Create a wildcard certificate for internal use, signed by the intermediate ca: +easypki create --ca-name intermediate --dns "*.internal.acme.com" "*.internal.acme.com" -API below pkg/ has been rewritten to allow extensibility in terms of PKI -storage and better readability. +# Create a client certificate: +easypki create --ca-name intermediate --client --email bob@acme.com bob@acme.com -If you used the legacy API that was only writing files to disk, a tag has been -applied so you can still import it: +# Revoke the www certificate. +easypki revoke $PKI_ROOT/root/certs/www.acme.com.crt +# Generate a CRL expiring in 1 day (PEM Output on stdout): +easypki crl --ca-name root --expire 1 ``` -import "gopkg.in/google/easypki.v0" -``` +You will find the generated certificates in `$PKI_ROOT/ca_name/certs/` and +private keys in `$PKI_ROOT/ca_name/keys/` + +For more info about available flags, checkout out the help `easypki -h`. # Disclaimer -This is not an official Google product +This is not an official Google product. |