Skip to content

Quick and easy X.509 certificate generator for SSL/TLS utilizing local PKI

License

Notifications You must be signed in to change notification settings

Snawoot/quickcerts

Repository files navigation

quickcerts

quickcerts

Quick and easy X.509 certificate generator for SSL/TLS utilizing local PKI


❤️ ❤️ ❤️

You can say thanks to the author by donations to these wallets:

  • ETH: 0xB71250010e8beC90C5f9ddF408251eBA9dD7320e
  • BTC:
    • Legacy: 1N89PRvG1CSsUk9sxKwBwudN6TjTPQ1N8a
    • Segwit: bc1qc0hcyxc000qf0ketv4r44ld7dlgmmu73rtlntw

Features

  • Easy to use.
  • Genarates both client and server certificates.
  • Produces certificates with proper attributes (Key Usage, Extended Key Usage, Authority Key Identifier, Subject Key Identifier and so on).
  • Supports certificates with multiple domain names (SAN, SubjectAlternativeName).
  • Supports wildcard certificates.
  • Generates PKCS12 (.pfx, .p12) as well

Requirements

  • Python 3.4+
  • cryptography 1.6+

Installation

From source

Run this command within source directory:

pip3 install .

From PyPI

pip3 install quickcerts

Snap Store

Get it from the Snap Store

sudo snap install quickcerts

Docker

For deployment with Docker see "Docker" section below.

Usage example

quickcerts -D *.example.com example.com -D www.example2.com example2.com mx.example2.com -C "John Doe" -C "Jane Doe"
quickcerts -D localhost 127.0.0.1

These commands will produce following files in current directory:

  • CA certificate and key
  • Two server certificates having multiple DNS names or IP addresses in SubjectAlternativeName fields and keys for that certificates.
  • Two client certificates for CN="John Doe" and CN="Jane Doe" (and keys for them).

Consequent invokations will reuse created CA.

Docker

Also you may run this application with Docker:

docker run -it --rm -v "$(pwd)/certs:/certs" \
    yarmak/quickcerts -D server -C client1 -C client2 -C client3

In this example CA and certificates will be created in ./certs directory.

Synopsis

$ quickcerts --help
usage: quickcerts [-h] [-o OUTPUT_DIR] [-k KEY_SIZE] [--kdf-rounds KDF_ROUNDS]
                  [-D DOMAINS [DOMAINS ...]] [-C CLIENT] [-P PASSWORD]

Generate RSA certificates signed by common self-signed CA

options:
  -h, --help            show this help message and exit
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
                        location of certificates output (default: .)
  -k KEY_SIZE, --key-size KEY_SIZE
                        RSA key size used for all certificates (default: 2048)
  --kdf-rounds KDF_ROUNDS
                        number of KDF rounds (default: 50000)
  -D DOMAINS [DOMAINS ...], --domains DOMAINS [DOMAINS ...]
                        Generate server certificate which covers following
                        domains or IP addresses delimited by spaces. First one
                        will be set as CN. Option can be used multiple times.
                        (default: None)
  -C CLIENT, --client CLIENT
                        Generate client certificate with following name.
                        (default: None)
  -P PASSWORD, --password PASSWORD
                        password for newly generated .pfx files (default:
                        password)