square / certstrap Goto Github PK

Tools to bootstrap CAs, certificate requests, and signed certificates.

License: Apache License 2.0

Go 99.54% Dockerfile 0.46%

crypto golang certificate bootstrap certificate-authority ssl csr tls

certstrap's Introduction

certstrap

A simple certificate manager written in Go, to bootstrap your own certificate authority and public key infrastructure. Adapted from etcd-ca.

certstrap is a very convenient app if you don't feel like dealing with openssl, its myriad of options or config files.

Common Uses

certstrap allows you to build your own certificate system:

Initialize certificate authorities
Create identities and certificate signature requests for hosts
Sign and generate certificates

Certificate architecture

certstrap can init multiple certificate authorities to sign certificates with. Users can make arbitrarily long certificate chains by using signed hosts to sign later certificate requests, as well.

Examples

Getting Started

Building

certstrap must be built with Go 1.18+. You can build certstrap from source:

$ git clone https://github.com/square/certstrap
$ cd certstrap
$ go build

This will generate a binary called certstrap under project root folder.

Initialize a new certificate authority:

$ ./certstrap init --common-name "CertAuth"
Created out/CertAuth.key
Created out/CertAuth.crt
Created out/CertAuth.crl

Note that the -common-name flag is required, and will be used to name output files.

Moreover, this will also generate a new keypair for the Certificate Authority, though you can use a pre-existing private PEM key with the -key flag.

If the CN contains spaces, certstrap will change them to underscores in the filename for easier use. The spaces will be preserved inside the fields of the generated files:

$ ./certstrap init --common-name "Cert Auth"
Created out/Cert_Auth.key
Created out/Cert_Auth.crt
Created out/Cert_Auth.crl

Request a certificate, including keypair:

$ ./certstrap request-cert --common-name Alice
Created out/Alice.key
Created out/Alice.csr

certstrap requires either -common-name or -domain flag to be set in order to generate a certificate signing request. The CN for the certificate will be found from these fields.

If your server has mutiple ip addresses or domains, use comma seperated ip/domain/uri list. eg: ./certstrap request-cert -ip $ip1,$ip2 -domain $domain1,$domain2 -uri $uri1,$uri2

If you do not wish to generate a new keypair, you can use a pre-existing private PEM key with the -key flag

Sign certificate request of host and generate the certificate:

$ ./certstrap sign Alice --CA CertAuth
Created out/Alice.crt from out/Alice.csr signed by out/CertAuth.key

PKCS Format:

If you'd like to convert your certificate and key to PKCS12 format, simply run:

$ openssl pkcs12 -export -out outputCert.p12 -inkey inputKey.key -in inputCert.crt -certfile CA.crt

inputKey.key and inputCert.crt make up the leaf private key and certificate pair of your choosing (generated by a sign command), with CA.crt being the certificate authority certificate that was used to sign it. The output PKCS12 file is outputCert.p12

Key Algorithms:

Certstrap supports curves P-224, P-256, P-384, P-521, and Ed25519. Curve names can be specified by name as part of the init and request_cert commands:

$ ./certstrap init --common-name CertAuth --curve P-256
Created out/CertAuth.key
Created out/CertAuth.crt
Created out/CertAuth.crl

$ ./certstrap request-cert --common-name Alice --curve P-256
Created out/Alice.key
Created out/Alice.csr

Retrieving Files

Outputted key, request, and certificate files can be found in the depot directory. By default, this is in out/

Project Details

Contributing

See CONTRIBUTING for details on submitting patches.

License

certstrap is under the Apache 2.0 license. See the LICENSE file for details.

certstrap's People

Contributors

Stargazers

Watchers

Forkers

sarvex 40a sh4t riyazdf tools-alexuser01 artbin mslayton jameswhite ontucker agileinsider evenh orinocoz 01022012 reelsense digideskio ssoor stefanschneider hpcloud secsecsec davidwalter0 sureshg scivey aryanugroho diogomonica satheeshagowda prateek fgrosse mikesimons carryon hxalid tanglongwei spivegin bobhenkel antmanler liuyongsong mcpride kerscher nol98 etsangsplk blackmagicmushroom alokmenghrajani lytscu buksy priestd09 mctofu ssddn cchuter lsm wiseplat mrnerdhair namreg oogway ludweeg gviedma-zz mweissbacher andrewlecuyer jmecom harveyrd lufinima uppercaveman explife0011 perfoware gkcmorgan qinzhao168 adonis2014 julianedwards cezmunsta defer albertogviana dragonndev warkeeper oreza llatseattle modulexcite xt0fer crawping l2ex msvg awesomegolang fivepente ivanmp91 cnxtech ranganathanm bonedaddy hhy5277 bamzi backwardn daniel-007 codysoyland rtradeltd ufranske pugna0 paulmsegeya wheelcomplex wuhua988 aebruno ubccr fd0 mccrayinc jscy579

certstrap's Issues

Cannot revoke cert if CA key protected by passphrase

Error

When attempted to revoke a certificate that was signed with a CA that is protected by passphrase, the following error is generated

/tmp # /usr/bin/certstrap revoke --CN Alice --CA CertAuth
could not get "CertAuth" private key: unmatched type or headers

Desc and Quick Analysis

It would seem that an error condition within revoke.go - Lines 115-118 is hit.

certstrap/cmd/revoke.go

Lines 115 to 118 in 1eaeef9

 priv, err := depot.GetPrivateKey(d, c.ca) 

 if err != nil { 

 return fmt.Errorf("could not get %q private key: %v", c.ca, err) 

 }

I believe this stems from a direct call to depot.GetPrivateKey without a retry logic for depot.GetEncryptedPrivateKey

I'm not 100% sure, but I think the revoke.go should probably re-use logic similar to the sign.go - Lines 126-138

certstrap/cmd/sign.go

Lines 126 to 138 in ec28c5a

 key, err := depot.GetPrivateKey(d, formattedCAName) 

 if err != nil { 

 pass, err := getPassPhrase(c, "CA key") 

 if err != nil { 

 fmt.Fprintln(os.Stderr, "Get CA key error: ", err) 

 os.Exit(1) 

 } 

 key, err = depot.GetEncryptedPrivateKey(d, formattedCAName, pass) 

 if err != nil { 

 fmt.Fprintln(os.Stderr, "Get CA key error: ", err) 

 os.Exit(1) 

 } 

 }

Step to reproduce

/tmp # /usr/bin/certstrap init --common-name "CertAuth"
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Created out/CertAuth.key (encrypted by passphrase)
Created out/CertAuth.crt
Created out/CertAuth.crl

/tmp # /usr/bin/certstrap request-cert --common-name Alice
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Created out/Alice.key
Created out/Alice.csr

/tmp # /usr/bin/certstrap sign Alice --CA CertAuth
Enter passphrase for CA key (empty for no passphrase): 
Created out/Alice.crt from out/Alice.csr signed by out/CertAuth.key

/tmp # /usr/bin/certstrap revoke --CN Alice --CA CertAuth
could not get "CertAuth" private key: unmatched type or headers

Intermediate with OpenSSL: verify error:num=25:path length constraint exceeded

Could be a documentation issue - there is nothing in the README.md. I generated an Intermediate certificate using these steps:

./bin/certstrap-master-linux-amd64 init --common-name "Unit Test Server Root CA" --key-bits 1024 --expires "100 years"

./bin/certstrap-master-linux-amd64 request-cert --common-name "Unit Test Server Intermediate CA" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Root CA" --intermediate "Unit Test Server Intermediate CA"

./bin/certstrap-master-linux-amd64 request-cert --common-name "localhost" --ip "127.0.0.1" --domain "localhost" --key-bits 1024
./bin/certstrap-master-linux-amd64 sign --expires "100 years" --CA "Unit Test Server Intermediate CA" "localhost"

I'm trying to debug it, but can't quite figure out what it this comment means:

// Not allow any non-self-issued intermediate CA, sets MaxPathLen=0

Should I generate my Intermediate CA differently?

Store files without spaces

Consider replaces spaces in output filenames with underscores. For example, instead of writing out/Some\ Certificate\ Authority.crt, write out/Some_Certificate_Authority.

Reconsider the "Depot" notion

I'm not a huge fan. Maybe we should just require explicit filenames everywhere. Seems more "normal unix tool".

Cut new release?

Original v1 was about a year ago. Perhaps cut a new release with the new extra commits since then?

xoxo

x509.(Encrypt|Decrypt)PEMBlock have been deprecated

From the linter:

  Error: SA1019: x509.DecryptPEMBlock has been deprecated since Go 1.16 because it shouldn't be used: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)
  Error: SA1019: x509.EncryptPEMBlock has been deprecated since Go 1.16 because it shouldn't be used: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)

-out flag

An -out flag as exists in openssl would be nice. Currently files need to be copied manually when the same common name is used.

etcd-release has the same issue https://github.com/cloudfoundry-incubator/etcd-release/blob/master/scripts/generate-certs

# CA
certstrap --depot-path . init --passphrase '' --common-name example.com --key-bits $SIZE
mv ./example.com.key ./ca.key
mv ./example.com.crt ./ca.crt
mv ./example.com.crl ./ca.crl

# Server
certstrap --depot-path . request-cert --passphrase '' --common-name example.com --domain 'example.com'  --key-bits $SIZE
mv ./example.com.key server.key
mv ./example.com.csr server.csr

certstrap --depot-path . sign server --CA ca
openssl pkcs8 -topk8 -nocrypt -in server.key -out server.pem

# Client
certstrap --depot-path . request-cert --passphrase '' --common-name example.com --domain 'example.com'  --key-bits $SIZE
mv ./example.com.key client.key
mv ./example.com.csr client.csr

#54

certstrap arm64/aarch64 release

Hello,

Can you please make a release for arm64/aarch64 ?

Regards,
T.

Subject order

When creating a CA the subject does not appear in the standard order.

I get the following

C=US, O=Example Org, OU=Security, L=City Name, ST=State, CN=Example Org Root CA

Typically its formatted like so

C=US, ST=State, L=City Name, O=Example Org, OU=Security, CN=Example Org Root CA

Add cross-platform binaries to github releases

Would it be possible to add 64-bit binaries for darwin/linux (and any other platforms you want to support) to the github releases as artifacts? Both for past releases and future releases?

It would be really useful if we could just download the binary, and stick in our docker images, without having to install all of golang, just to go get this one utility.

Bazel integration

I've had some success in integrating certstrap into my Bazel builds to create test certificates. To do so I have to maintain the list of external dependencies within my own build. Would there be an appetite for including something like https://github.com/bazelbuild/bazel-gazelle/blob/master/deps.bzl in the repo to make it easier to import certstrap and list its dependencies with Bazel?

I don't mind doing this work, it's pretty straight forward by using https://github.com/bazelbuild/bazel-gazelle to generate the files. The main open question I have is about how we'd make sure it's kept up to date.

cc @mcpherrinm

Use of terminal.ReadPassword prevents windows compat

Use of the terminal package prevents certstrap from compiling on windows.

Would you mind not masking password entry or replacing it with something like the gopass package (https://github.com/howeyc/gopass)?

Depending on your goal, this may not be a great library. looks like it just quickly backspaces and overwrites with a space, which might still get logged by something you are trying to avoid.

Add support for SPIFFE workload API

It would be useful to have Certstrap able to implement the spiffe workload APIs, so that it can be used for local testing of software without needing a node agent

pkix package functions are not safe for concurrent use

We are using some of the functions in the pkix package to generate CAs, certs, and keys in tests. Running the tests with race detection and in parallel triggered failures as there are package level variables that are written to by different goroutines:

WARNING: DATA RACE
Write at 0x000000b8b598 by goroutine 7:
  github.com/square/certstrap/pkix.CreateCertificateAuthority()
      /tmp/build/80754af9/diego-release/src/github.com/square/certstrap/pkix/cert_auth.go:85 +0xb3
...

Previous write at 0x000000b8b598 by goroutine 10:
  github.com/square/certstrap/pkix.CreateCertificateAuthority()
      /tmp/build/80754af9/diego-release/src/github.com/square/certstrap/pkix/cert_auth.go:85 +0xb3
...

The pkix package seems to use a pattern that makes its functions unsafe for concurrent use, e.g.

certstrap/pkix/cert_auth.go

Line 85 in a0ea37d

authTemplate.SubjectKeyId = subjectKeyID

Is there an existing track of work to ensure the pkix package is safe for concurrency?

Add revoke command

It would be nice if there were a revoke command that could be used to populate the CRL.

Improve readme

The readme could use some improvement. E.g. explain the pros/cons of using certstrap vs openssl.

x509 API usage error

certstrap/pkix/cert_auth.go

Lines 62 to 63 in d84b22e

 // Not allow any non-self-issued intermediate CA 

 MaxPathLen: 0,

This is an error in the use of the x509 API: MaxPathLenZero must be set to true if MaxPathLen is zero. http://godoc.org/crypto/x509#Certificate

(I'd submit a PR but don't think the CLA is worth the hassle for something so minor)

Support shortform (--ou, --o, --st, --l, --c, --cn, etc.) for setting subject.

How to create self signed certificate?

I'm trying to create a self signed certificate for cloud foundry consul server. could anyone help me?

Thanks

Add flag to take subject/SANs from existing cert

Sometimes you've already got a crt/key already, and you just want it reissued.

We've got a --key for certstrap request-cert to use an existing cert, maybe we should have a --cert too.

The exact semantics are a little tricky. Like, should we copy the extended-validation OIDs? (Generally, I think "no" because the CA should provide those). At very least we should take the normal subject stuff (CN, O, OU, L, ...) and SANs.

Bash autocompletion

For interactive users, it would be useful to provide shell completion.
GNU Bash is widespread and a good candidate for first implementation.

I can help by providing a PR, but would need to know if this is useful to spend time on or not.
If so I’ll sign the CLA and send the request.

Add support for URI SANs

We should have a flag to add URI sans, like the domain and IP flags today.

This is because SPIFFE uses URI sans in certificates

Allow cert expiration times < 1 year

Would you accept a pull request that changes the cert generation interface from representing expiration as integer number of years to a time.Duration? I would like to generate certs with shorter lifetimes.

Failed to create certificate

# build certstrap
git clone https://github.com/square/certstrap
cd certstrap
go build


# build rootca
./certstrap init --passphrase 123456 --expires "10 year" --organization "Google Trust Services LLC" --country "US" --common-name "BIG Web"

# build midca csr
./certstrap request-cert --passphrase 123456 --key-bits 4096 --organization "Google Trust Services LLC" --country "US" --common-name "GTS CA 1C3"

# sign mid crtt
./certstrap sign "GTS_CA_1C3" --passphrase 123456 --CA "Acunetix_Web" --intermediate true

# get server csr
./certstrap request-cert --passphrase 123456 --key-bits 4096 --common-name "awvs.lan" --domain "awvs.lan"

# sign server crt
./certstrap sign awvs.lan --passphrase 123456 --CA "GTS_CA_1C3"

BIG Web:  Trust certificate
GTS CA 1C3:  This certificate is valid
awvs.lan : "GTS CA 1C3" certificate does not meet the standard

BIG Web.crt

BIG Web.key

GTS_CA_1C3.crt

GTS CA 1C3.key

awvs.lan.crt

awvs.lan.key

Add cli parameter to enable extendedKeyUsage

I'm setting up a Consul cluster that requires rolling my own CA. That's how I found this awesome project. However, another requirement is the usage of extendedKeyUsage to enable client/server-authentication using the CA-signed certificates.

I've found references to extKeyUsage in the code but no way of configuring certstrap to actually create certificates with these parameters. It would be awesome if certstrap could support this.

Release a version

Thanks for an awesome project! In order to have stability (and include a package in Homebrew), could you please consider releasing a version of certstrap, e.g. v1.0.0 or v0.0.1?

Version the build on dockerhub

The build on docker hub is tagged as latest which could cause issues if the build is ever updated. I suggest another adding another tag for each release.

e.g
squareup/certstrap:1.2.0

Awesome project btw, has saved me a lot of headache, thank you.

Reconsider prompting for passwords by default

Certainly we almost never use password-protected private keys (that's what Keywhiz is for, after all). We should require a flag.

Consider using cfssl internally

There's no particular reason to implement most of the things we've got in this codebase if cfssl can do it

New release

20 commits since last release 1.1.1, homebrew version outdated. Maybe it's time to new release?

Throw an error if IP is invalid

certstrap request-cert --common-name "blah" --ip "foo" ends up ignoring the invalid ip. We should instead display an error message.

Getting unknown URIs field error on ./build

Here is the full error description:

gopath/src/github.com/square/certstrap/pkix/cert_auth.go:147:14: authTemplate.URIs undefined (type x509.Certificate has no field or method URIs)
gopath/src/github.com/square/certstrap/pkix/cert_auth.go:147:28: rawCsr.URIs undefined (type *x509.CertificateRequest has no field or method URIs)
gopath/src/github.com/square/certstrap/pkix/cert_host.go:98:14: hostTemplate.URIs undefined (type x509.Certificate has no field or method URIs)
gopath/src/github.com/square/certstrap/pkix/cert_host.go:98:28: rawCsr.URIs undefined (type *x509.CertificateRequest has no field or method URIs)
gopath/src/github.com/square/certstrap/pkix/csr.go:118:7: unknown field 'URIs' in struct literal of type x509.CertificateRequest

Release version and app version don't match.

Checked-out and built tag v1.0.0.

$ certstrap --version
certstrap version 0.1.0

This should be fixed for the next release.

CLI option for empty passphrase

I would vote for implementing the feature to explicitly set empty passwords for certificate requests request-cert.
This would allow automated creation of password-less keys to be used i.e. for web servers.

Maybe implementing another flag --empty-passphrase and internally setting empty byte array.

Improve error message when file permissions deny access to a file

right now, we end up with Read Key error: cannot find the next PEM formatted block. We should instead show something like: permission denied try to open FILENAME

Support pkcs8 private keys

The tool should be smart enough to support reading pkcs8 private keys.

Ideally, we should support writing pkcs8 private keys if the user desires.

Wildcard ssl certificate

Hello,
very nice and conveninent tools. Is it also able to generate certs for wildcard domains ?
thks

Must provide Common Name or domain

First,I use the next cmd:

git clone https://github.com/square/certstrap
$ cd certstrap
$ ./build

2.I got certstrap-dev-25ea708a-darwin-amd64 in ./bin,and I exec:

./certstrap-dev-25ea708a-darwin-amd64 request-cert --ip 10.29.113.5

But, I got the error: Must provide Common Name or domain

Dependabot can't resolve your Go dependency files

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Add a flag to choose between PKCS1v1.5 and PSS.

As we migrate towards RSA-PSS, it might be useful to have a tool to easily generate such certs in order to test various pieces of software.

Publish docker image

Hi,
Would you be open to publishing an official docker image for certstrap?

Couldn't find any on Docker Hub:
https://hub.docker.com/search/?isAutomated=0&isOfficial=0&page=1&pullCount=0&q=certstrap&starCount=0

Add name constraints to CA cert?

Hi,

thanks a lot for this handy tool! About the only thing I'm missing is adding name constraints to a CA when the certificate is created, so that the newly created CA is only valid for certain hierarchies. In openssl config syntax this would look as follows:

nameConstraints=critical,permitted;DNS:.example.com, permitted;DNS:.otherexample.com

A CA created with this constraint (which must be marked as critical) can only sign certificates below example.com or otherexample.com. This attribute can also contain IP addresses and many other features (you know, the whole x509 stuff), but being able to restrict a CA to some domains is the only thing I need.

Is there interest in adding a basic version of this feature? Like, not supporting the whole x509 madness, but being able to specify a list of domains and maybe IP ranges a new CA should be valid for?

If so, I'm willing to add the code (and tests) needed for this feature. Let me know what you think!

Finer Expiry Control

Hello,
I find that I often need to create expired certificates for testing related validation and it would be extremely helpful if the --expires option was extended to allow passing minutes and even seconds.

Certificate expiry clarity

This is more of a clarification than an issue, Is there a way to pass the custom expiry to the module, the expiry defaults to a year currently.

openssl x509 -enddate -noout -in test.crt
notAfter=May 23 06:26:00 2022 GM

Commend the Incredible work to simplify cert generation!!

Golang 1.17 broke Tests with crypto/x509

CreateCertificate now returns an error if the provided private key doesn't match the parent's public key.
https://go-review.googlesource.com/c/go/+/224157/

Test Logs

?       github.com/square/certstrap     [no test files]                                                                                                                                                        
=== RUN   TestParseExpiryWithSeconds                                                                                                                                                                           
--- PASS: TestParseExpiryWithSeconds (0.00s)                                                                                                                                                                   
=== RUN   TestParseExpiryWithMinutes                                                                                                                                                                           
--- PASS: TestParseExpiryWithMinutes (0.00s)                                                                                                                                                                   
=== RUN   TestParseExpiryWithHours                                                                                                                                                                             
--- PASS: TestParseExpiryWithHours (0.00s)                                                                                                                                                                     
=== RUN   TestParseExpiryWithDays                                                                                                                                                                              
--- PASS: TestParseExpiryWithDays (0.00s)                                                                                                                                                                      
=== RUN   TestParseExpiryWithMonths                                                                                                                                                                            
--- PASS: TestParseExpiryWithMonths (0.00s)                                                                                                                                                                    
=== RUN   TestParseExpiryWithYears                                                                                                                                                                             
--- PASS: TestParseExpiryWithYears (0.00s)                                                                                                                                                                     
=== RUN   TestParseExpiryWithMixed                                                                                                                                                                             
--- PASS: TestParseExpiryWithMixed (0.00s)                                                                                                                                                                     
=== RUN   TestParseInvalidExpiry                                                                                                                                                                               
--- PASS: TestParseInvalidExpiry (0.00s)                                                                                                                                                                       
=== RUN   TestRevokeCmd                                                                                                                                                                                        
    revoke_test.go:118: could not create cert host: x509: provided PrivateKey doesn't match parent's PublicKey                                                                                                 
--- FAIL: TestRevokeCmd (0.12s)                                                                                                                                                                                
FAIL                                                                                                                                                                                                           
FAIL    github.com/square/certstrap/cmd 0.122s                                                                                                                                                                 
=== RUN   TestDepotCRUD                                                                                                                                                                                        
--- PASS: TestDepotCRUD (0.01s)                                                                                                                                                                                
=== RUN   TestDepotPutNil                                                                                                                                                                                      
--- PASS: TestDepotPutNil (0.01s)                                                                                                                                                                              
=== RUN   TestDepotCheckFailure                                                                                                                                                                                
--- PASS: TestDepotCheckFailure (0.01s)                                                                                                                                                                        
=== RUN   TestDepotGetFailure                                                                                                                                                                                  
--- PASS: TestDepotGetFailure (0.01s)                                                                                                                                                                          
=== RUN   TestDepotList                                                                                                                                                                                        
--- PASS: TestDepotList (0.01s)                                                                                                                                                                                
=== RUN   TestDepotGetFile
--- PASS: TestDepotGetFile (0.01s)
PASS                                               
ok      github.com/square/certstrap/depot       0.047s
=== RUN   TestCreateCertificateAuthority
--- PASS: TestCreateCertificateAuthority (0.01s)
=== RUN   TestCreateCertificateHost
--- PASS: TestCreateCertificateHost (0.00s)
=== RUN   TestCertificateAuthorityInfo
--- PASS: TestCertificateAuthorityInfo (0.00s)
=== RUN   TestCertificateAuthorityInfoFromJSON
--- PASS: TestCertificateAuthorityInfoFromJSON (0.00s)
=== RUN   TestCertificateAuthority
--- PASS: TestCertificateAuthority (0.00s)
=== RUN   TestWrongCertificate
--- PASS: TestWrongCertificate (0.00s)
=== RUN   TestBadCertificate
--- PASS: TestBadCertificate (0.00s)
=== RUN   TestCertificateVerify
--- PASS: TestCertificateVerify (0.00s)
=== RUN   TestCreateCertificateRevocationList                                                                                                                                                        [299/1166]
--- PASS: TestCreateCertificateRevocationList (0.02s)
=== RUN   TestCertificateRevocationList
--- PASS: TestCertificateRevocationList (0.00s)
=== RUN   TestCreateCertificateSigningRequest
--- PASS: TestCreateCertificateSigningRequest (0.03s)
=== RUN   TestCertificateSigningRequest
--- PASS: TestCertificateSigningRequest (0.00s)
=== RUN   TestOldStyleCertificateSigningRequest
--- PASS: TestOldStyleCertificateSigningRequest (0.00s)
=== RUN   TestWrongCertificateSigningRequest
--- PASS: TestWrongCertificateSigningRequest (0.00s)
=== RUN   TestBadCertificateSigningRequest
--- PASS: TestBadCertificateSigningRequest (0.00s)
=== RUN   TestCreateRSAKey
--- PASS: TestCreateRSAKey (0.03s)
=== RUN   TestRSAKey                               
--- PASS: TestRSAKey (0.00s)
=== RUN   TestWrongRSAKey
--- PASS: TestWrongRSAKey (0.00s)
=== RUN   TestBadRSAKey                            
--- PASS: TestBadRSAKey (0.00s)
=== RUN   TestRSAKeyExport
--- PASS: TestRSAKeyExport (0.00s)
=== RUN   TestRSAKeyExportEncrypted
--- PASS: TestRSAKeyExportEncrypted (0.00s)
=== RUN   TestRSAKeyGenerateSubjectKeyID
--- PASS: TestRSAKeyGenerateSubjectKeyID (0.00s)
PASS                                               
ok      github.com/square/certstrap/pkix        0.092s
=== RUN   TestVersion                          
--- PASS: TestVersion (0.08s)
=== RUN   TestIp                                   
--- PASS: TestIp (0.26s)                           
=== RUN   TestNotCA                                
--- PASS: TestNotCA (2.07s)
=== RUN   TestURI                                  
--- PASS: TestURI (0.28s)
=== RUN   TestWorkflow                             
--- PASS: TestWorkflow (1.21s)
PASS                                               
ok      github.com/square/certstrap/tests       3.907s
FAIL

System
Go version: go version go1.17.1 linux/amd64
Certstrap version: 1768704
Linux version: Arch linux

The Microsoft certreq tool generates certificate requests with the old style "NEW CERTIFICATE REQUEST" (see https://stackoverflow.com/questions/28628744/is-there-a-spec-for-csr-begin-headers for a discussion of this).

Would it be possible for certstrap to support the style used by certreq so these do not need to be modified prior to use?

--ip flag for request-cert command fails to create key and csr

Hi, it looks like using just the --ip flag to the request-cert command fails:

jchen@rousseau-(master|✔)> certstrap --depot-path ./secrets/tls request-cert --ip 10.2.1.48 --organization nerdrage --country US --passphrase '' --locality San Francisco --organizational-unit ops --province CA
Created ./secrets/tls/��
0.key
Create certificate request error: asn1: string not valid UTF-8
[1] jchen@rousseau-(master|✔)> certstrap --depot-path ./secrets/tls request-cert --ip '10.2.1.48' --organization nerdrage --country US --passphrase '' --locality San Francisco --organizational-unit ops --province CA
Created ./secrets/tls/��
0.key
Create certificate request error: asn1: string not valid UTF-8
[1] jchen@rousseau-(master|✔)> certstrap --depot-path ./secrets/tls request-cert --common-name 10.2.1.48 --organization nerdrage --country US --passphrase '' --locality San Francisco --organizational-unit ops --province CA
Created ./secrets/tls/10.2.1.48.key
Created ./secrets/tls/10.2.1.48.csr

	priv, err := depot.GetPrivateKey(d, c.ca)
	if err != nil {
	return fmt.Errorf("could not get %q private key: %v", c.ca, err)
	}

	key, err := depot.GetPrivateKey(d, formattedCAName)
	if err != nil {
	pass, err := getPassPhrase(c, "CA key")
	if err != nil {
	fmt.Fprintln(os.Stderr, "Get CA key error: ", err)
	os.Exit(1)
	}
	key, err = depot.GetEncryptedPrivateKey(d, formattedCAName, pass)
	if err != nil {
	fmt.Fprintln(os.Stderr, "Get CA key error: ", err)
	os.Exit(1)
	}
	}

	// Not allow any non-self-issued intermediate CA
	MaxPathLen: 0,