elide crt

elide crt is a complete local PKI toolkit built into the runtime. Create Certificate Authorities, generate CA-signed or self-signed certificates, install CAs into system and browser trust stores, inspect certificates from files or remote hosts, verify certificate chains, convert between PEM and DER, and renew certificates via ACME DNS-01. Every subcommand supports --json for machine-readable output.

If you have ever fought with openssl incantations to get local HTTPS working, this is the fix.

---

Quick start

Create a local CA and generate a browser-trusted development certificate in three commands:

bash
# 1. Create a local Certificate Authority
 elide crt ca

# 2. Generate a certificate signed by that CA
 elide crt generate example.local localhost 127.0.0.1

# 3. Trust the CA system-wide (requires sudo on Linux/macOS)
 sudo elide crt trust

Your development server can now use example.local.crt and example.local.key for HTTPS without browser warnings.

---

Subcommands

SubcommandWhat it does
caCreate or display a local Certificate Authority
generateGenerate a TLS certificate (CA-signed or self-signed)
trustInstall a CA certificate into system trust stores
untrustRemove a CA certificate from trust stores
inspectDisplay certificate details from a file or remote host
verifyVerify a certificate's validity, chain, and hostname
exportConvert certificates between PEM and DER formats
renewRenew certificates via ACME DNS-01 challenge (Let's Encrypt)
---

Common workflows

Local development HTTPS

Set up browser-trusted HTTPS for local development. Create the CA once, trust it once, then generate per-project certificates as needed.

bash
# One-time setup
 elide crt ca
 sudo elide crt trust

# Per-project
 elide crt generate myapp.local localhost 127.0.0.1 ::1

Use the generated certificate with elide serve or any TLS-capable server:

bash
 elide serve --tls-cert myapp.local.crt --tls-key myapp.local.key ./dist

mTLS client certificates

Generate client certificates for mutual TLS authentication. The same CA signs both the server and client certificates; the server validates the client certificate against that CA.

bash
 elide crt generate api.internal --out-dir ./certs
 elide crt generate client-service --client --out-dir ./certs

Inspecting production certificates

Check the certificate chain and expiry of a live server:

bash
# Full chain
 elide crt inspect example.com --chain

# Verify with an expiry warning threshold
 elide crt verify example.com --expiry-warn 30

# Compact one-liner for CI dashboards
 elide crt inspect example.com --brief

ACME certificate renewal

Obtain or renew a publicly-trusted certificate from Let's Encrypt using DNS-01 validation:

bash
 elide crt renew example.com \
 --acme-email admin@example.com \
 --dns cloudflare \
 --dns-token "$CF_API_TOKEN"

Test with the Let's Encrypt staging environment first:

bash
 elide crt renew example.com \
 --acme-email admin@example.com \
 --dns cloudflare \
 --dns-token "$CF_API_TOKEN" \
 --staging

MITM proxy CA

Create a separate CA for the forward proxy's TLS interception, keeping it isolated from your development CA:

bash
 elide crt ca --proxy
 sudo elide crt trust --proxy

Certificate format conversion

Convert between PEM and DER, or bundle a certificate chain:

bash
# PEM to DER
 elide crt export cert.pem --out cert.der

# Bundle leaf + CA into a single chain file
 elide crt export leaf.crt --chain ca.crt --out fullchain.pem

---

PKI storage

Elide stores CA certificates and private keys in a platform-specific data directory:

~/.local/share/elide/pki/                   # Linux (via XDG_DATA_HOME)
~/Library/Application Support/elide/pki/     # macOS
  ca/
    ca.crt          # CA certificate (PEM)
    ca.key          # CA private key (PEM, mode 0600)
  proxy-ca/
    proxy-ca.crt    # Proxy MITM CA certificate
    proxy-ca.key    # Proxy MITM CA private key

Private key files are created with 0600 permissions on Unix systems. The storage directory can be overridden with --out-dir on the ca subcommand.

---

JSON output

Every subcommand supports --json for structured output, making it straightforward to integrate with scripts and CI pipelines:

bash
# Extract DNS SANs from a remote certificate
 elide crt inspect example.com --json | jq '.[0].san_dns'

# Check validity programmatically
 elide crt verify ./cert.pem --json | jq '.valid'

# Show existing CA details as JSON
 elide crt ca --show --json

---

See also