[GH-ISSUE #564] Certificates: add keypair + CSR generation command #155

New issue

Closed

opened 2026-02-26 21:33:49 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 21:33:49 +03:00

Owner

Originally created by @rudrankriyam on GitHub (Feb 16, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/564

Summary

Add a first-class, non-interactive command to generate a signing private key + CSR that can be fed directly into existing certificate creation workflows.

Today, asc certificates create requires a CSR file (--csr), but generating a CSR is currently an external/manual step.

Why this matters

CSR generation is a common “first mile” step for signing automation:

CI bootstrap flows need to generate a CSR without Keychain UI.
Users should not need to remember OpenSSL incantations or Keychain Certificate Assistant steps.
A deterministic, scriptable CSR generator makes certificate automation more AI/CI friendly.

Current state (verified)

asc certificates create --certificate-type TYPE --csr ./cert.csr exists.
CSR generation is not available as an asc command.
asc certificates create accepts both PEM and “normalized base64” CSR input (see readCSRContent).

Proposed UX

Command

Add a new subcommand under certificates (name bikeshed is fine):

asc certificates csr generate (preferred)
or asc certificates csr-generate

Examples

# Generate private key + CSR
asc certificates csr generate \
  --common-name "ASC Signing" \
  --key-out "./signing/cert.key" \
  --csr-out "./signing/cert.csr"

# Use CSR to create a certificate
asc certificates create \
  --certificate-type IOS_DISTRIBUTION \
  --csr "./signing/cert.csr"

Flags (proposal)

Required:

--key-out private key output path (PEM)
--csr-out CSR output path (PEM)

Optional:

--common-name (default: asc)
--email, --organization, --organizational-unit, --country (optional subject fields)
--key-type (default rsa)
--key-size (default 2048)
--force overwrite existing output files (default false)
--output json|table|markdown summary output (default json)
--pretty for JSON

Behavior requirements

No interactive prompts.
Do not print private key material to stdout/stderr. Output should be a summary (paths + subject + key params).
Refuse to follow symlinks for --key-out / --csr-out.
By default, refuse to overwrite existing files; require --force.
Write outputs safely (ideally atomic temp file + rename in same dir).
File permissions:
- private key should be written with restrictive permissions (e.g. 0600 on unix)
- CSR can be more permissive (e.g. 0644)

Output model

JSON (default)

Return a structured summary object, e.g.

{
  "keyOut": "signing/cert.key",
  "csrOut": "signing/cert.csr",
  "keyType": "rsa",
  "keySize": 2048,
  "subject": {
    "commonName": "ASC Signing",
    "email": "",
    "organization": "",
    "organizationalUnit": "",
    "country": ""
  }
}

This is intentionally “boring” and deterministic so CI/agents can reason about it.

Detailed implementation plan (TDD-first)

Add new command under internal/cli/certificates/.
Implement generator using Go stdlib:
- crypto/rsa for key generation
- crypto/x509 for CSR creation
- encoding/pem for PEM output
Add secure file write helpers (reuse existing secureopen utilities where possible):
- refuse symlink outputs
- refuse overwrite unless --force
- ensure private key permissions are restrictive
Add cmdtests:
- missing required flags -> usage error (exit code 2)
- generates PEM key + PEM CSR
- subject fields match flags
- refuses overwrite unless --force
- refuses symlink output paths

Acceptance criteria

asc certificates csr generate --help exists and is self-documenting.
Generated CSR works with asc certificates create --csr ....
Output is deterministic (especially JSON fields and their casing).
No secrets printed.
make test passes with new cmdtest coverage.

Originally created by @rudrankriyam on GitHub (Feb 16, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/564 ## Summary Add a first-class, non-interactive command to generate a signing **private key + CSR** that can be fed directly into existing certificate creation workflows. Today, `asc certificates create` requires a CSR file (`--csr`), but generating a CSR is currently an external/manual step. ## Why this matters CSR generation is a common “first mile” step for signing automation: - CI bootstrap flows need to generate a CSR without Keychain UI. - Users should not need to remember OpenSSL incantations or Keychain Certificate Assistant steps. - A deterministic, scriptable CSR generator makes certificate automation more AI/CI friendly. ## Current state (verified) - `asc certificates create --certificate-type TYPE --csr ./cert.csr` exists. - CSR generation is not available as an `asc` command. - `asc certificates create` accepts both PEM and “normalized base64” CSR input (see `readCSRContent`). ## Proposed UX ### Command Add a new subcommand under `certificates` (name bikeshed is fine): - `asc certificates csr generate` (preferred) - or `asc certificates csr-generate` ### Examples ```bash # Generate private key + CSR asc certificates csr generate \ --common-name "ASC Signing" \ --key-out "./signing/cert.key" \ --csr-out "./signing/cert.csr" # Use CSR to create a certificate asc certificates create \ --certificate-type IOS_DISTRIBUTION \ --csr "./signing/cert.csr" ``` ### Flags (proposal) Required: - `--key-out` private key output path (PEM) - `--csr-out` CSR output path (PEM) Optional: - `--common-name` (default: `asc`) - `--email`, `--organization`, `--organizational-unit`, `--country` (optional subject fields) - `--key-type` (default `rsa`) - `--key-size` (default `2048`) - `--force` overwrite existing output files (default false) - `--output json|table|markdown` summary output (default json) - `--pretty` for JSON ## Behavior requirements - **No interactive prompts**. - **Do not print private key material to stdout/stderr**. Output should be a summary (paths + subject + key params). - Refuse to follow symlinks for `--key-out` / `--csr-out`. - By default, refuse to overwrite existing files; require `--force`. - Write outputs safely (ideally atomic temp file + rename in same dir). - File permissions: - private key should be written with restrictive permissions (e.g. `0600` on unix) - CSR can be more permissive (e.g. `0644`) ## Output model ### JSON (default) Return a structured summary object, e.g. ```json { "keyOut": "signing/cert.key", "csrOut": "signing/cert.csr", "keyType": "rsa", "keySize": 2048, "subject": { "commonName": "ASC Signing", "email": "", "organization": "", "organizationalUnit": "", "country": "" } } ``` This is intentionally “boring” and deterministic so CI/agents can reason about it. ## Detailed implementation plan (TDD-first) - [ ] Add new command under `internal/cli/certificates/`. - [ ] Implement generator using Go stdlib: - [ ] `crypto/rsa` for key generation - [ ] `crypto/x509` for CSR creation - [ ] `encoding/pem` for PEM output - [ ] Add secure file write helpers (reuse existing `secureopen` utilities where possible): - [ ] refuse symlink outputs - [ ] refuse overwrite unless `--force` - [ ] ensure private key permissions are restrictive - [ ] Add cmdtests: - [ ] missing required flags -> usage error (exit code 2) - [ ] generates PEM key + PEM CSR - [ ] subject fields match flags - [ ] refuses overwrite unless `--force` - [ ] refuses symlink output paths ## Acceptance criteria - [ ] `asc certificates csr generate --help` exists and is self-documenting. - [ ] Generated CSR works with `asc certificates create --csr ...`. - [ ] Output is deterministic (especially JSON fields and their casing). - [ ] No secrets printed. - [ ] `make test` passes with new cmdtest coverage.