A helper tool that simplifies the creation of development time SSL certificates for use with Java Webservers like Jetty.
Sometimes you just want a simple way to generate a Java Keystore file that you can supply to a Java server so that you can enable HTTPS development on your local machine.
Certifiable creates a secure root certificate on your machine that you can trust because the root keys get deleted. It then creates a single end user certificate and keys in the form of a Java Keystore.
This is more secure than the various tools that rely on you trusting a single root certificate while retaining the roots keys to allow the creation of more local certificates. While this is convenient it certainly isn't safe.
Certifiable only relies the Java keytool
command. Assuming that if
Java is installed then keytool
will be available as well.
Leiningen dependency information:
[com.bhauman/certifiable "0.0.2"]
clj/deps.edn information:
{:deps {com.bhauman/certifiable {:mvn/version "0.0.2"}}}
This tool was built based on this excellent shell script.
Make sure you have the Clojure tools installed
Then to generate a certificate execute the following:
$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.2"}}}' -m certifiable.main
If this is the first time its been run, this command will create a
directory in your home directory ~/_certifiable
and
populate it with a root certificate and a ca (certificate authority)
certificate.
The file ~/_certifiable_certs/localhost-1d070e4/dev-root-trust-this.pem
needs
to be trusted by your operating system and Firefox directly in order
to avoid the not trusted browser warnings.
On MacOS the above command will ask to have the generated certificate imported into your keychain as a trusted certificate.
The command will output a
~/_certifiable_certs/localhost-1d070e4/dev-server.jks
file that you
can supply to a Clojure webserver like ring.jetty.adapter
like so:
(require '[ring.adapter.jetty :refer [run-jetty]]
(run-jetty (fn [req] {:status 200 :content-type "text/plain" :body "Hi"}))
{:join? false
:port 9500
:ssl? true
:ssl-port 9533
:keystore "[path-to]/dev-server.jks"
:key-password "password"})
The password for the keystore is always password
.
If everything worked properly and you have trusted the root
certificate then visiting https://localhost:9533
,
https://www.localhost:9533
and https://127.0.0.1:9533
should all
work.
If you want your HTTPS server to be available on particular local
domain (I.E. example.test
) first make sure you have the domain added it to your
/etc/hosts
file. After you have done that you can call:
$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.2"}}}' -m certifiable.main -d "example.test,localhost"
That command will generate a new local development certifiable with a
custom the Subject Alternative Name section that includes both
example.test
and localhost
.
You can also supply a comma separated list of custom IP addresses with the -i
or --ips
option.
If you would like to output .jks
file to a certain path you can
supply a -o
or --output
option like so:
$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.2"}}}' -m certifiable.main -d "example.test,localhost" -o "dev-example.jks"
If a command isn't executing correctly you can use the -v
option to
print out all the calls to keytool
.
If you get to a point where things aren't working you can use the
--reset
option and it will clear out the root and ca certificates
and allow you to start from scratch.
$ clj -Sdeps '{:deps {com.bhauman/certifiable {:mvn/version "0.0.2"}}}' -m certifiable.main --reset
Using the -h
option with display all possible CLI options.
Copyright © 2018 Bruce Hauman
Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.
Can you improve this documentation?Edit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close