2.5 KiB
2.5 KiB
Go TLS Certificate Helper
Small helper library to generate a self-signed TLS certificate and return it
as a ready-to-use *tls.Config.
Overview
The package builds an in-memory certificate and private key pair from a
GenerateCertificate configuration and returns a TLS configuration with one
certificate entry.
Supported key options:
- RSA (default when
EcdsaCurveis empty andEd25519Keyis false) - Ed25519 (when
Ed25519Keyis true) - ECDSA curves:
P224,P256,P384,P521
Installation
go get scm.yoorie.de/go-lib/certs
Quick Start
package main
import (
"fmt"
"time"
"scm.yoorie.de/go-lib/certs"
)
func main() {
cfg := &certs.GenerateCertificate{
Organization: "example.org",
Host: "127.0.0.1,localhost,api.example.org",
ValidFor: 365 * 24 * time.Hour,
RSABits: 2048,
}
tlsConfig, err := cfg.GenerateTLSConfig()
if err != nil {
panic(err)
}
fmt.Printf("certificates in config: %d\n", len(tlsConfig.Certificates))
}
API
Type: GenerateCertificate
Organization string: certificate subject organizationHost string: comma-separated DNS names and/or IPs for SANValidFrom string: optional start date in formatJan 2 15:04:05 2006ValidFor time.Duration: certificate validity durationIsCA bool: whether to mark certificate as CARSABits int: RSA key size when RSA is usedEcdsaCurve string: one ofP224,P256,P384,P521Ed25519Key bool: generate Ed25519 key when true
Method
GenerateTLSConfig() (*tls.Config, error)
Creates a self-signed certificate and returns a *tls.Config with that
certificate.
Important Notes
- The certificate is self-signed (issuer equals subject).
Hostis split by comma and mapped into DNS or IP SAN entries.- Invalid
EcdsaCurvevalues are not recoverable: the implementation useslog.Fatalf. - Invalid
ValidFromvalues are not recoverable: the implementation useslog.Fatalf.
Development
Run quality checks locally:
go test ./...
go test -coverprofile .build/coverage.out ./...
go tool cover -func .build/coverage.out
go vet ./...
go run golang.org/x/vuln/cmd/govulncheck@latest ./...
Documentation
Copyright © 2026 yoorie.de