The problem.

Generating TLS certs for testing is difficult. Most guides have incomprehensible commands that require security knowledge to operate.

The solution.

Cloudflare open-sourced their well-trusted Golang TLS library, cloudflare/cfssl. It has sane defaults and is constantly updated with best practices. We've compiled it to WebAssembly to generate certs in your browser.

Try it out.

Advanced

Code samples.

Here are some examples of doing mTLS in various languages.

Language: RubyGoPythonJavascript

Server:

package main

import (
	"crypto/tls"
	"crypto/x509"
	"io/ioutil"
	"log"
	"net/http"
)

func main() {
	caCert, err := ioutil.ReadFile("./ca.pem")
	if err != nil {
		log.Fatalf("reading ca cert: %s", err)
	}

	certPool := x509.NewCertPool()
	certPool.AppendCertsFromPEM(caCert)

	conf := &tls.Config{
		ClientCAs: certPool,
	}

	conf.BuildNameToCertificate()

	httpServer := &http.Server{
		Addr:      ":443",
		TLSConfig: conf,
		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			w.WriteHeader(http.StatusOK)
		}),
	}

	err = httpServer.ListenAndServeTLS("./server.pem", "./server-key.pem")
	if err != nil {
		log.Fatalf("listen and serving: %s", err)
	}
}

Client:

package main

import (
	"crypto/tls"
	"crypto/x509"
	"io/ioutil"
	"log"
	"net/http"
)

func main() {
	cert, err := tls.LoadX509KeyPair("./client.pem", "./client-key.pem")
	if err != nil {
		log.Fatalf("loading key pair: %s", err)
	}

	caCert, err := ioutil.ReadFile("./ca.pem")
	if err != nil {
		log.Fatalf("reading ca cert: %s", err)
	}

	certPool := x509.NewCertPool()
	certPool.AppendCertsFromPEM(caCert)
	conf := &tls.Config{
		Certificates: []tls.Certificate{cert},
		RootCAs:      certPool,
	}

	client := http.Client{
		Transport: &http.Transport{
			TLSClientConfig: conf,
		},
	}

	resp, err := client.Get("https://server/")
	if err != nil {
		log.Fatalf("sending request: %s", err)
	}

	if resp.StatusCode != http.StatusOK {
		log.Fatalf("expected status %d but got %d", http.StatusOK, resp.StatusCode)
	}
}

Contributing.

Want to add something? Find a bug? This project is open-source, please send PRs to github.com/jchorl/tlscerts. Feel free to also get in touch at [email protected].