Cross platform, easy to use SSL/TLS toolset

  • By Erhan Yakut
  • Last update: Jan 2, 2023
  • Comments: 4

Build Status Total Downloads Codecov branch Go Version Go Version
Gopher design by Tugay BALCI


GoSSL is a cross platform, easy to use SSL/TLS toolset written with Go and built with ❤️


  • Generate RSA private and public key
  • Generate x509 RSA Certificate Request (CSR)
  • Generate x509 RSA Root CA
  • Generate x509 RSA Certificate
  • Verify a Certificate with a Root CA
  • Verify a URL with a Root CA
  • Generate SSH key pair
  • Copy SSH public key to remote SSH server


Executable binaries can be downloaded at Releases page according to user's operating system and architecture. After download, extract compressed files and start using GoSSL via terminal.

MacOS Homebrew Install

MacOS users can install GoSSL via Homebrew with the commands below.

brew tap yakuter/homebrew-tap
brew install gossl



version command displays the current version of GoSSL

gossl -v
gossl --version


help command displays default help and existing commands. It can also be used to get sub command helps.

gossl help
gossl help cert


key command generates RSA private key with provided bit size.

gossl key --help
gossl key --bits 2048
gossl key --bits 2048 --out private.key
gossl key --bits 2048 --out private.key --withpub


cert command generates x509 SSL/TLS Certificate Request (CSR), Root CA and Certificate with provided private key.


gossl cert --help

Generate Certificate Request (CSR)

gossl cert \
    --key private.key \
    --out cert.csr \
    --days 365 \
    --serial 12345 \

Generate Root CA

gossl cert \
    --key private.key \
    --out ca.pem \
    --days 365 \
    --serial 12345 \

Generate Certificate

gossl cert \
    --key private.key \
    --out cert.pem \
    --days 365 \
    --serial 12345


verify command verifies x509 certificate with provided root CA in PEM format.

gossl verify --help

// Verify certificate with root CA 
gossl verify --cafile ./testdata/ca-cert.pem --certfile ./testdata/server-cert.pem
gossl verify --cafile ./testdata/ca-cert.pem --certfile ./testdata/server-cert.pem --dns

// Verify URL with root CA
gossl verify --cafile testdata/ca-cert.pem --url


ssh command generates SSH key pair with provided bit size just like ssh-keygen tool. These key pairs are used for automating logins, single sign-on, and for authenticating hosts.

gossl key --help
gossl key --bits 2048
gossl key --bits 2048 --out ./id_rsa
// output will be written to ./id_rsa and ./id_rsa_pub files


ssh-copy connects remote SSH server, creates /home/user/.ssh directory and authorized_keys file in it and appends provided public key (eg, to authorized_keys file just like ssh-copy-id tool.

gossl ssh-copy --help

// This command will ask for password to connect SSH server
gossl ssh-copy --pubkey /home/user/.ssh/ remoteUser@remoteIP

gossl ssh-copy --pubkey /home/user/.ssh/ --password passw@rd123 remoteUser@remoteIP


  1. Add generate command for generating private key, root ca and x509 certificates in one command
  2. Add cert template format read from yaml file
  3. Add certificate converter command like DER to PEM etc.



  • 1

    verifying url with CA

    I wrote a small func to test verifying url with RootCAs: (I changed test's package name to "verify" in order to use verifyURLWithCA func)

    func TestVerifyURL(t *testing.T) {
    	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    		fmt.Fprintln(w, "hello!")
    	rootCA, err := rootCAs("../../testdata/ca-cert.pem")
    	require.NoError(t, err)
            require.NotNil(t, rootCA)
    	ts.TLS = &tls.Config{
    		ClientCAs: rootCA,
    	defer ts.Close()
    	err = verifyURLWithCA(nil, ts.URL, rootCA)
    	require.NoError(t, err)

    this test fails with the error:

    === RUN   TestVerifyURL
    2022/04/14 16:27:26 Failed to send Get request to URL error: Get "": x509: certificate signed by unknown authority
    2022/04/14 16:27:26 http: TLS handshake error from remote error: tls: bad certificate
                    Error Trace:    verify_test.go:118
                    Error:          Received unexpected error:
                                    Get "": x509: certificate signed by unknown authority
                    Test:           TestVerifyURL

    Am I missing something?

  • 2

    add homebrew releaser

    • added homebrew tap releaser
    • added 386 and arm architechtures to build section
    • added ldflags (-s -w) to produce a smaller binary which removes symbol table and debugging information
  • 3

    add getting cert details from url into info command

    I added getting certificate details from given URL to info command.

    I used the same argument which can be replaced with the file path.

    gossl info


    gossl info cert.pem

    In both ways, output file can be used to write details.

    If adding a URL flag is better, I can convert it too.

  • 4

    Convert certificates/keys between different formats

    Thank you for your work on this project! I'd love to see the following new feature in the CLI:

    Ability to convert certificates/keys between PEM to PKCS12 (with password support), and the other way around.