certificate-transparency/cheese
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
35 Commits 3 Branches 0 Tags
1e7a41660f833977f0264154293aa0a6f2f911f0
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Cheese

A Certificate Transparency log configuration and deployment tool for Google's [TesseraCT] implementation. It tries to look and feel a little like the one provided by [Sunlight].

Configuration Generator

The tesseract/genconf tool generates CT log configuration files and keys from a YAML specification in a very similar way to Sunlight.

Usage

  1. Build the tool:
go build -o tesseract-genconf ./tesseract/genconf/
  1. Create YAML configuration file:
listen:
  - "[::]:8080"
roots: /etc/tesseract/roots.pem
logs:
  - shortname: example2025h1
    listen: "[::]:16900"
    inception: 2025-01-01
    submissionprefix: https://example2025h1.log.ct.example.com
    monitoringprefix: https://example2025h1.mon.ct.example.com
    extraroots: /etc/tesseract/extra-roots.pem
    secret: /etc/tesseract/keys/example2025h1.pem
    localdirectory: /var/lib/tesseract/example2025h1/data
    notafterstart: 2025-01-01T00:00:00Z
    notafterlimit: 2025-07-01T00:00:00Z
  1. Generate private keys:
mkdir -p /etc/tesseract/keys
./tesseract-genconf -c config.yaml --write gen-key
  1. Create directories and generate environment files:
mkdir -p /var/lib/tesseract/example2025h1/data
./tesseract-genconf -c config.yaml --write gen-env
  1. Generate HTML and JSON files:
./tesseract-genconf -c config.yaml --write gen-html
  1. Generate nginx configuration files:
./tesseract-genconf -c config.yaml --write gen-nginx

The port from the main listen: field will be used in the NGINX server blocks (in our case :8080). You can symlink the generated $monitoringprefix.conf files from /etc/nginx/sites-enabled/.

  1. Generate root certificates (optional):
# For testing/staging environment, take the ccadb 'testing' roots
./tesseract-genconf gen-roots --source https://rennet2027h2.log.ct.ipng.ch/ --output roots-staging.pem

# For production environment, take the ccadb 'production' roots
./tesseract-genconf gen-roots --source https://gouda2027h2.log.ct.ipng.ch/ --output roots-production.pem

Safe File Operations with --diff and --write

The tesseract-genconf tool includes safety features to prevent accidental file modifications:

  • --diff: Shows colored unified diffs of what would change without writing files
  • --write: Required flag to actually write files to disk
  • --no-color: Disables colored diff output (useful for redirecting to files)

Recommended workflow:

# 1. First, preview changes with --diff
./tesseract-genconf -c config.yaml --diff gen-html

# 2. Review the colored diff output, then apply changes
./tesseract-genconf -c config.yaml --write gen-html

# 3. Or combine both to see diffs and write files
./tesseract-genconf -c config.yaml --diff --write gen-html

Note: Flags must come before the command name (e.g., --diff gen-html, not gen-html --diff).

Description
Cheese: Certificate Transparency Logs
Readme 418 KiB
Languages
Go 100%