Creating Test Certificates

In the process of testing your TRISA implementation, you may wish to generate some test certificates (e.g. for use in unit testing). The TRISA engineers have created a command line tool for this purpose, which can be found in the trisacrypto/directory repository.

The Certificates command line client is a utility designed for local disk certificate management and test Certificate Authority (CA) for testing purposes. The code is located under cmd/certs. To install the latest version of the Certificates CLI, you must have Go installed on your computer. The following command will install the latest version of the CLI:

$ go install

Alternatively, to install the Certificate CLI from the trisacrypto/directory root, first clone the Directory repository and then run the following:

$ go install ./cmd/certs


Before using the certs CLI, you must confirm your environment has the certs program in your go workspace bin and is present in your $PATH.

$ ls $GOPATH/bin

The certs CLI has two command categories: for the CA and for the client certs. To see the CLI commands and which flags should be specified, use certs --help.

Creating a Test Certificate Authority (CA)

The first step to creating the local disk certificate management is creating the CA certs that contain a randomly generated certificate and RSA key pair. You can use certs init to create CA certs if they do not already exist. The -c flag specifies the output location to write the CA certs; without the flag, the default location of the CA certs will be in fixtures/certs/ca.gz. If you want to overwrite existing CA keys, you can use the -f flag.

$ certs init -c path/to/ca.gz

Generating the Certificates

After creating the local CA, it then can issue “self-signed” certificates by that local CA, e.g., certificates signed by the keys in ca.gz, as follows:

$ certs issue -c ca.gz -n "Common_Name" -O "Organization"

The issue command requires the -n flag (which specifies the common name for the certificate) and the -O flag (which specifies the name of the organization that the certificates are for.) The default output location is <common_name.gz>. However, there are other flags to specify additional information for the organization.

-n value, --name value          common name for the certificate
-O value, --organization value  name of organization to issue certificates for
-C value, --country value       country of the organization
-p value, --province value      province or state of the organization
-l value, --locality value      locality or city of the organization
-a value, --address value       street address of the organization
-z value, --postcode value      postal code of the organization

You can also PKCS12 encrypt the issued cert with the -P flag to specify the password and the -o flag to specify the output location using the .p12 extension.

$ certs issue -c ca.gz -o certs.p12 -P password -n "Common_Name" -O "Organization"

Decrypting Files

The certs CLI also has a command to decrypt PKCS12 files and can be used as follows:

$ certs decrypt <common_name.p12> -p password

The decrypt command requires the -p flag (which specifies the password of the encrypted file). And default output is <common_name.gz>, but you can specify the output location using the -o flag.

Creating Trust Chain Pools

Additionally, the certs CLI has a command to create a trust chain pool from certificates that were created on your local disk. It saves the pool into a zip file that you can specify with the -o flag. The pools are used to manage the public trust certificates of peers in the network. The pool maps common names to the provider certificates and ensures that only public providers without private keys are stored in the pool.

$ certs pool <common_name1.pem> <common_name2.pem> -o

While public providers are used in providers pools to facilitate mTLS clients, providers with keys (private providers) are used to instantiate mTLS servers. Such that, if two pairs of certs signed with the same ca.gz will enable you to establish an mTLS connection between two nodes.