//go:build !coverage
// +build !coverage
// Utility to generate self-signed certificates.
// It generates a self-signed x509 certificate and key pair, and writes them
// to "fullchain.pem" and "privkey.pem".
//
// Intended for use in tests, not for production use.
package main
import (
crand "crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"flag"
"fmt"
"math/big"
"net"
"os"
"strings"
"time"
"golang.org/x/net/idna"
)
var (
host = flag.String("host", "",
"Hostnames/IPs to generate the certificate for (comma separated)")
validFor = flag.Duration("validfor", 4*time.Hour,
"How long will the certificate be valid for")
isCA = flag.Bool("ca", false,
"Should this cert be its own CA?")
)
func fatalf(f string, a ...interface{}) {
fmt.Printf(f, a...)
os.Exit(1)
}
func main() {
flag.Parse()
if *host == "" {
fatalf("Required flag: --host")
}
// Build the certificate template.
serial, err := crand.Int(crand.Reader, big.NewInt(1<<62))
if err != nil {
fatalf("Error generating serial number: %v\n", err)
}
tmpl := x509.Certificate{
SerialNumber: serial,
Subject: pkix.Name{Organization: []string{"Test Cert Org"}},
// Valid from now until `--validfor` in the future.
// Extended certs can be useful for manual troubleshooting.
NotBefore: time.Now(),
NotAfter: time.Now().Add(*validFor),
KeyUsage: x509.KeyUsageKeyEncipherment |
x509.KeyUsageDigitalSignature |
x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
if *isCA {
tmpl.IsCA = true
}
hosts := strings.Split(*host, ",")
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
tmpl.IPAddresses = append(tmpl.IPAddresses, ip)
} else {
// We use IDNA-encoded DNS names, otherwise the TLS library won't
// load the certificates.
ih, err := idna.ToASCII(h)
if err != nil {
fatalf("Host %q cannot be IDNA-encoded: %v\n", h, err)
}
tmpl.DNSNames = append(tmpl.DNSNames, ih)
}
}
// Generate a private key (RSA 2048).
privK, err := rsa.GenerateKey(crand.Reader, 2048)
if err != nil {
fatalf("Error generating key: %v\n", err)
}
// Write the certificate.
{
derBytes, err := x509.CreateCertificate(
crand.Reader, &tmpl, &tmpl, &privK.PublicKey, privK)
if err != nil {
fatalf("Failed to create certificate: %v\n", err)
}
fullchain, err := os.Create("fullchain.pem")
if err != nil {
fatalf("Failed to open fullchain.pem: %v\n", err)
}
err = pem.Encode(fullchain,
&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
if err != nil {
fatalf("Error encoding certificate: %v\n", err)
}
fullchain.Close()
}
// Write the private key.
{
privkey, err := os.Create("privkey.pem")
if err != nil {
fatalf("failed to open privkey.pem: %v\n", err)
}
block := &pem.Block{Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(privK)}
err = pem.Encode(privkey, block)
if err != nil {
fatalf("Error encoding private key: %v\n", err)
}
privkey.Close()
}
}