Certyaml - X509 Certificate Generation
Command Line Usage
mkdir -p certs certyaml -d certs [path/to/certs.yaml]
Output: <subject_common_name>.pem (cert with chain), <subject_common_name>-key.pem, certs.state and optional CRL files <issuers_common_name>-crl.pem.
- •If no manifest file is provided, reads from
certs.yamlin current directory. - •If no output directory is provided, writes to current directory.
- •Generates
.statefile to track certificate parameters in the output directory. - •Regenerates only changed/missing certificates on subsequent runs.
- •If you need to rotate/ renew certificates, delete the certificate and key files and re-run
certyamlto regenerate.
YAML Manifest Format
The certificate manifest file contains multiple documents separated by ---, each defining one certificate.
Key fields: subject (DN, must be unique), issuer (references earlier cert's subject), ca (bool), sans (list), filename (output file basename, defaults to CN), key_type (EC/RSA/ED25519), key_size, expires (duration), not_before/not_after (RFC3339), key_usages, ext_key_usages, crl_distribution_points, revoked.
Important: Certificate order matters - issuer must be defined before it's referenced.
Full field reference: https://github.com/tsaarni/certyaml
Example manifest:
subject: cn=root-ca --- subject: cn=server issuer: cn=root-ca sans: - DNS:localhost - IP:127.0.0.1 ext_key_usages: - ServerAuth --- subject: cn=client issuer: cn=root-ca ext_key_usages: - ClientAuth
Kubernetes Secrets
Upload/update certificates as Kubernetes secrets using --dry-run=client -o yaml | kubectl apply for idempotent operations:
# TLS secret type (kubernetes.io/tls) kubectl create secret tls echoserver-cert --dry-run=client -o yaml \ --cert=certs/echoserver.pem --key=certs/echoserver-key.pem | kubectl apply -f - # Generic secret with custom key names (opaque type) kubectl create secret generic internal-root-ca --from-file=ca.crt=certs/internal-root-ca.pem --dry-run=client -o yaml | kubectl apply -f - # Patch tls secret to inject ca.crt in secret of type kubernetes.io/tls kubectl patch secret openldap-cert --patch-file /dev/stdin <<EOF data: ca.crt: $(cat certs/client-ca.pem | base64 -w 0) EOF
Go API
Import: github.com/tsaarni/certyaml
Main type: Certificate struct with fields Subject, SubjectAltNames, Issuer (pointer to CA Certificate, nil for self-signed), IsCA, KeyType, Expires, NotBefore/NotAfter, KeyUsage, ExtKeyUsage.
Key methods: PEM(), TLSCertificate(), X509Certificate(), WritePEM(), Generate().
CRL type: CRL struct. Methods: Add(cert), PEM(), WritePEM().
Full API docs: https://pkg.go.dev/github.com/tsaarni/certyaml Code examples: https://github.com/tsaarni/certyaml/blob/master/examples/go-api/main.go
ca := certyaml.Certificate{Subject: "cn=ca"}
server := certyaml.Certificate{Subject: "cn=server", SubjectAltNames: []string{"DNS:localhost"}, Issuer: &ca}
tlsCert, err := server.TLSCertificate() // Use in http.Server TLSConfig
Patterns
- •Mandatory field: Only
subjectis required - •Root CA (self-signed): Omit
issuerfield - •Intermediate CA: Set
issuer: cn=parent-ca,ca: true - •End-entity certificate: Set
issuer: cn=ca-name,ca: false(default) - •Server certificate: Add
ext_key_usages: [ServerAuth] - •Client certificate: Add
ext_key_usages: [ClientAuth] - •Certificate Revocation: Set
revoked: trueto include cert in issuer's CRL file - •Certificate chains: End-entity PEM files include full chain (excluding root CA)