Certainly Versions Save

• Adds a --source flag that prints out the tool’s own source files.

KNOWN ISSUE: does not produce working CA-issued certificates. Use 1.6.2 for now.

• Remove dependency on OpenSSL
• Change the inspect output format to:
  • Show more of the subject/issuer names
  • Show the names of certificates in the chain, for remotes
  • Show whether the certificate analysed was local or remote
  • Show an openssl oneliner to get more details
• Support Ed25519 keys
• Add an --ecdsa flag for future-proofing

The upside is that certificate generation for elliptical is faster (by about 20%), binary size is reduced (by about 33%), and less memory is used (by about %15).

The downside is that build times are slower (by about 30%), and RSA generation is very slow (several orders of magnitude!)

• Set the CA certificate's maxpathlen to zero

• Use a different subject and issuer DN
• Add OU field to DN
• Allow env overrides for some DN fields

• Add --reverse-std to output certificate first, then key

• For legacy applications, use --rsa to use 4096-bit RSA keys instead of ECDSA

• Certificates can be created with IPv4 and IPv6 names
• --inspect supports IPv4, v6, Email, and URI names on certs

• New --client flag to generate client certificates (#1)

• Untrusted remote certificates now display correctly with --inspect url.
• If a certificate is expired the text will read Expired: date rather than Expires: date.
• Inspect date formats changed to Y-m-d H:M:S