PKI

Public Key Infrastructure for Tcl

Tcllib now has a "PKI" module. This module includes support for RSA certificates, but is extensible to include other types of public key cryptographic systems.

Documentation

X.509 Style Guide , Peter Gutmann

Tools

Tcllib pki
TclPKCS11 , by Roy Keene
supports loading a PKCS#11 compliant module and offloading sensitive cryptographic operations onto it. It requires the "PKI" module in Tcllib.

Create a self-signed certificate under PKI

set key [pki::rsa::generate 512]
set csr [pki::pkcs::create_csr $key [list CN www.google.com] 1]
set csr [pki::pkcs::parse_csr $csr]
lappend key subject "CN=www.google.com"
set crt [::pki::x509::create_cert $csr $key 1 [clock seconds] [clock seconds] 1 [list] 1]

or, wrapped as a proc:

proc self_sign {key args} {
    set csr [pki::pkcs::create_csr $key $args 1]
    set csr [pki::pkcs::parse_csr $csr]
    dict for {n v} $args {lappend subject "$n=$v"}
    lappend key subject [join $subject ", "]
    set crt [::pki::x509::create_cert $csr $key 1 [clock seconds] [clock seconds] 1 [list] 1]
}
self_sign [pki::rsa::generate 512] ...