Self-signed SSL certificate generator 🔐
This tool is an experiment to learn "How to create a self-signed certificate".
With pip:
pip install certpy
Install from source (you need to install python-pdm first):
git clone https://github.com/aprilahijriyan/certpy.git
cd certpy
pdm install
CertPy provides a workflow file, which will be used to instruct the creation of the certificate.
The workflow file name is
certpy.yml(you cannot change the file name or extension to.yaml) and the workflow file must be in the directory you are working in.
Here's an example of a workflow:
# Save it as certpy.yml in the current directory.
certificate_age: &age
days: 365
certificates:
kuli:
type: ca
distinguished_name:
countryName: ID
stateOrProvinceName: Indonesia
localityName: Jawa Barat
organizationName: Kuli Dev
organizationalUnitName: OSS
commonName: Kuli Dev Root CA
emailAddress: null
age: *age
hash: sha256
overwrite: true
server:
type: server
distinguished_name:
commonName: Server
ca_file: kuli
age: *age
hash: sha256
san:
ip:
- 192.168.18.203
dns:
- ca.example.com
overwrite: true
client:
type: client
distinguished_name:
commonName: Client
ca_file: kuli
age: *age
hash: sha256
overwrite: trueThen, create a CertPy environment (this is to hold all certificates created by CertPy).
# this will create a `~/.certpy` directory and create a default `Root CA` certificate stored in `~/.certpy/ca/certs/rootCA.pem`.
certpy ca initNow you can create your own certificate from the workflow file!
$ certpy create
'kuli' Root CA
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CA File ┃ CA Key ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ /home/april/.certpy/ca/certs/kuli.pem │ /home/april/.certpy/ca/private/kuli.key │
└───────────────────────────────────────┴─────────────────────────────────────────┘
'server' Certificate
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Cert File ┃ Cert Key ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ /home/april/.certpy/server/certs/server.pem │ /home/april/.certpy/server/private/server.key │
└─────────────────────────────────────────────┴───────────────────────────────────────────────┘
'client' Certificate
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Cert File ┃ Cert Key ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ /home/april/.certpy/client/certs/client.pem │ /home/april/.certpy/client/private/client.key │
└─────────────────────────────────────────────┴───────────────────────────────────────────────┘
You can verify the self-signed certificate, using the command:
$ openssl verify -verbose -CAfile /home/april/.certpy/ca/certs/kuli.pem /home/april/.certpy/server/certs/server.pem
/home/april/.certpy/server/certs/server.pem: OK
All certificates generated by CertPy will be stored in the ~/.certpy directory. And each type of certificate is stored in a different directory.
- For
Root CAstored in~/.certpy/ca. - For
Server Certificatestored in~/.certpy/server. - For
Client Certificatestored in~/.certpy/client.
In the directory ~/.certpy/{ca,server,client} there are 2 directories.
- The
certsdirectory is used to store certificates. - The
privatedirectory is used to store certificate keys.
-
About
certificatesin workflow fileIt contains the definition of certificate. In CertPy only supports
Root CA,ServerandClientcertificate types.Each type of certificate has a different data structure. Read more below...
-
About
Root CACertificateThe structure for
Root CAis as follows:-
type: set tocato mark if this is a Root CA certificate. (required) -
distinguished_name: (object, required)countryName: Country Code (e.g.ID) (optional)stateOrProvinceName: State (e.g.Indonesia) (optional)localityName: Province (e.g.Jawa Barat) (optional)organizationName: Organization Name (e.g.Kuli Dev) (optional)organizationalUnitName: Organization Unit Name (e.g.OSS) (optional)commonName: Common Name (e.g.Kuli Dev Root CA) (required)emailAddress: Email address (e.g.[email protected]) (optional)
-
age: (object, required)You must fill in one of the fields below. For example fill
dayswith365(which is a certificate valid in 1 year)dayssecondsmicrosecondsmillisecondsminuteshoursweeks
-
hash: See https://www.pyopenssl.org/en/latest/api/crypto.html#digest-names (required) -
overwrite: If it is set totrueit will overwrite the old certificate with the new one. By default, if the certificate already exists it will be skipped. (bool, optional)
-
-
About
ServerCertificateIts structure is the same as
Root CA.However, there is a slight addition to the
Servercertificate. Here's a list of the new fields in theservercertificate:-
ca_file: (strorarray, required)The CA file is required to sign certificates for
serverorclient.- If it is
str, it will use theRoot CAcertificate from the workflow file. - If using
array, must have 2 items. For example index0isCA Fileand index1isCA Key.
- If it is
-
san: (object, required)ip: IP address list (array)dns: Domain name list (array)
Note: the certificate must be marked with
type: serverif you want to create a certificate forServer. -
-
About
ClientCertificateIts structure is the same as
Server Certificate.However, on the client certificate it doesn't have a
sanfield.Note: the certificate must be marked with
type: clientif you want to create a certificate forClient.
CertPy is heavily inspired by the following tools: