Replace openssl dependency in CA scripts with native Go implementation #18

New issue

Open

opened 2026-04-29 17:08:21 +02:00 by heiko · 1 comment

heiko commented

2026-04-29 17:08:21 +02:00

Owner

The CA scripts in CA/ (mkca, mkssl-pem) shell out to openssl for:

Generating RSA keys
Creating CSRs
Signing certificates (self-signed CA and issued certs)
Revoking certificates and generating CRLs

Since we already removed the openssl dependency from the server (PKCS12 bundling is now pure Go via software.sslmate.com/src/go-pkcs12), the CA scripts are the last remaining consumer of the openssl
binary.

Rewriting CA management as a Go tool would:

Remove the external openssl dependency entirely
Make cross-compilation simpler (single static binary)
Allow better integration with the rest of the cert-proxy codebase

The CA scripts in CA/ (mkca, mkssl-pem) shell out to openssl for: - Generating RSA keys - Creating CSRs - Signing certificates (self-signed CA and issued certs) - Revoking certificates and generating CRLs Since we already removed the openssl dependency from the server (PKCS12 bundling is now pure Go via software.sslmate.com/src/go-pkcs12), the CA scripts are the last remaining consumer of the openssl binary. Rewriting CA management as a Go tool would: - Remove the external openssl dependency entirely - Make cross-compilation simpler (single static binary) - Allow better integration with the rest of the cert-proxy codebase

heiko added the

enhancement

label

2026-04-29 17:08:21 +02:00

heiko self-assigned this

2026-04-29 17:08:21 +02:00

heiko referenced this issue from a commit

2026-04-29 23:48:22 +02:00

docs: update Known Issues and file permissions in README

heiko commented

2026-05-22 11:38:22 +02:00

Author