Gemcert

A simple tool for creating self-signed certs for use in Geminispace.

Gemcert is designed to be a less overwhelming alternative to the openssl command line tool, especially for people who don't like blindly copying and pasting long, opaque commands without understanding them but also feel like they shouldn't need to wade through multiple long man pages just to make a self-signed certificate. It does just what is needed for typical Gemini server or client certificates with sensible defaults and a handful of straightforward options for extra control.

Usage

Server certificates

Use the following command to generate a self-signed certificate to use with a Gemini server:

gemcert -server -domain example.com

This will generate a certificate with a CommonName of example.com, but will include both example.com and *.example.com in the Subject Alternate Names field. In other words, gemcert generates wildcard certificates by default. Because many Gemini clients use the TOFU model, frequent certificate changes should be avoided wherever possible, so it's better to remain flexible at the outset - you might have no plans to use subdomains right now, but are you sure you won't change your mind next year?

Client certificates

Use the following command to generate a self-signed certificate to use as a client certificate:

gemcert -client

The x.509 standard allows a certificate's Subject to be empty, but not its Issuer. Gemcert produces client certificates with an Issuer whose CN is "gemini", and where all other fields of the Issuer DN are empty. Even though empty Subjects are valid in principle, the Go standard library tools force the Issuer and Subject of self-signed certificates to be identical, so your client certs will end up with a Subject CN of "gemini" as well.

Some applications (e.g. astrobotany) use your client cert's Subject CN as a username in the application. You can use the -cn option to specify your own Subject CN in certs destined for use with such an application:

gemcert -client -cn username
gemcert -client -cn "Gus Grissom"

Certificate lifetimes

The validity period of a certificate always begins at the time it was generated. By default, server certificates are valid for 5 years beyond that time, and client certificates for 1 day. No matter which certificate type you are creating, you can easily specify the validity lifetime you would like using any combination of the -years, -months, -days and -hours options:

gemcert -server -domain example.com -years 3 -months 6 -days 12 -hours 4

Key types

By default, gemcert produces keys for the ECDSA signature scheme, using the P256 NIST curve. The resulting certificates are much smaller than the RSA certificates commonly used on the web, and will work with just about any TLS implementation, even if you are stuck with a relatively old version. This kind of cert seems to represent the best current trade-off between small certificate size and broad compatibility.

As a single alternative, gemcert can also produce keys for the ED25519 signature scheme, via the -ed25519 option:

gemcert -server -ed25519 -domain example.com

The resulting certificates will be even smaller, and many consider them more secure than ECDSA (or, more precisely, ECDSA using the NIST standard curves, which are the only ones widely supported). These are ideal certificates for use with Gemini, but unfortunately they are not yet as widely supported as ECDSA. If you use one of these certs for your server, be aware that some clients (including most mobile clients) will be unable to access them. Hopefully this situation will change in the near future. For the time being, these certs are still useful for use as client certificates if your own client and a particular application server you want to use both support ED25519.

Output files

Whether you are making a server or client certificate, gemcert will produce the output in PEM formatted files named key.pem and cert.pem in the current working directory, and will not ask before overwriting existing files, so use with caution!