Introduction
Have you ever found yourself squinting at the terminal, trying to decipher the output of openssl s_client -connect ... -showcerts?
It works, but scrolling through walls of text to find an issuer or an expiration date isn't exactly a great developer experience.
"I wanted to check certificate chains more intuitively, interactively, and—most importantly—in style."
With that in mind, I built y509, a TUI tool written in Go using Bubble Tea.
Links
- GitHub Repository: kanywst/y509
What is y509?
y509 is a Terminal User Interface (TUI) tool designed for viewing and analyzing X.509 certificate chains.
As for the name "y509"—it was chosen somewhat arbitrarily, clearly influenced by "X.509" (and maybe because Y comes after X?).
Key Features:
- Intuitive TUI: A two-pane interface displaying the certificate hierarchy list alongside detailed information.
- Chain Validation: Comprehensive validation with detailed error reporting.
- Search & Filter: Search certificates by CN, organization, or DNS names; filter by status (expired/expiring).
- Export Functionality: Easily export specific certificates from the chain in PEM or DER format.
- Status Indicators: Color-coded warnings for expired or soon-to-expire certificates.
Motivation
1. I wanted to build a TUI tool
After using tools like k9s, I realized how awesome TUIs can be. The ability to have a rich, interactive experience without ever leaving the terminal fascinated me. I wanted to try building one myself using modern libraries.
2. Checking certificate chains is tedious
Using the openssl command to view a certificate chain is a hassle. Even using slightly more modern tools like step (smallstep) CLI, while better, is often just text output. It lacks interactivity and frankly, it's boring.
Since checking certificate chains isn't inherently exciting work, I wanted to create a tool that allows me to check them quickly and visually, making the process a little more enjoyable.
Installation
macOS (via Homebrew)
If you are on macOS, you can install it easily via Homebrew:
brew tap kanywst/y509 https://github.com/kanywst/y509
brew install y509
Go Install
Alternatively, you can install it using Go:
go install github.com/kanywst/y509@latest
Usage
y509 supports reading from local files as well as reading directly from standard input (stdin).
The Killer Feature: Piping from OpenSSL
This is my favorite way to use it. You can grab a chain from a live website and analyze it instantly without creating temporary files:
openssl s_client -connect example.com:443 -showcerts | y509
Reading from a file
Of course, you can also read existing files:
y509 path/to/certificate-chain.pem
Controls
The tool uses Vim-like keybindings, so if you are used to Vim, you'll feel right at home.
| Key | Action |
|---|---|
j / k
|
Navigate up and down the certificate list |
h / l
|
Switch between the list pane and the details pane |
: |
Enter command mode |
q |
Quit application |
Command Mode
Press : to enter command mode. This allows you to perform advanced actions such as validation, searching, and exporting.
Examples:
-
Search:
search google(Finds certs with "google" in CN/SAN/Org) -
Filter:
filter expiring(Shows certs expiring within 30 days) -
Export:
export pem output.pem(Saves the selected certificate to a file) -
Validate:
validate(Runs chain validation logic)
Tech Stack
This project is built with Go and stands on the shoulders of giants:
- Bubble Tea: A powerful TUI framework based on The Elm Architecture.
- Lip Gloss: A style definition library for TUIs.
In the Go ecosystem, the Charm libraries (Bubble Tea, Lip Gloss, etc.) are becoming the de facto standard for modern CLI tool development. They provided an excellent developer experience.
Conclusion
Building a TUI turned a mundane verification task into something visually interesting. I hope this tool helps you the next time you need to debug a certificate chain!
Please give it a try and let me know what you think in the comments. If you find the project useful, I would really appreciate a star on GitHub!
Top comments (0)