Make Certificate Chain

This program helps system administrators to configure a Web Service that provides full SSL/TLS chain when handshaking.

With server provides all the certificates needed, it is possible to gain a little performance benefit for client verifying the server certificate.

The output of the certificate chain will follow the requirements for TLS 1.2 Server Certificate

Note

This program leverages on the existence of CAIssuers field in the authority information access extension (OID: 1.3.6.1.5.5.7.48.2).

Certificate Validation

User shouldn't seen SSL handshake error due to invalid certificate. This program also validates all certificates in chain. These are the items being checked across all certificates in chain:

• Signature
• Issuer name and subject name in issuer's certficate.
• Dates (Not Before, Not After)

Supported Certificate Formats / Encodings

• X.509 in PEM or DER encoding (--cert-type=x509)
• PKCS#7 certificates bundle in PEM or DER encoding (--cert-type=pkcs7)
• PKCS#12 certificates and key bundle in DER encoding (--cert-type=pkcs12)

Important

For PKCS#12 bundle, when importing certificate into cloud services, this program will only use bundled private key.

If the bundle doesn't contain the key, the program will fail.

Important

For containers capable of bundling multiple certificates (X.509 in PEM, PKCS#7, PKCS#12), only the first certificate will be parsed by this program.

Supported Importing Destinations

• AWS - AWS Certificate Manager (ACM)

• Google Cloud

  • `Compute Engine Global/Regional SSL Certificates`_
  • Certificate Manager Certificates

System Requirements

• Python 3.10 or later
• For import certificate to cloud services:
  • AWS CLI for import certificate to AWS Certificate Manager (ACM)
  • Google Cloud CLI for import certificate to Google Cloud

Install & Upgrade

pip install -U git+https://github.com/jacky9813/make-certificate-chain

Usage

Note

Unlike OpenSSL, this program detects the certificate encoding format automatically, so you don't have to put -inform DER or equivalent parameter.

You still have to specify the container format for certificates in PKCS#7 and PKCS#12 containers with --cert-type parameter.

Example 1: Simple usage

mkcertchain output-only example.cert.pem > example.chain.pem

Example 2: Piped from stdout

echo "" | openssl s_client -connect www.example.com:443 | mkcertchain output-only > example.com.chain.pem

Example 3: Create SSL Certificate in Google Cloud Compute Engine

# Log into Google Cloud and update Application Default Credentials
gcloud auth application-default login
# The following command will ask password for private key, even it's
# unencrypted. In such case, input nothing but enter when prompted for
# password.
mkcertchain gcp \
    --project my-project my-certificate\
    server.cert.pem server.key.pem

Example 4: Create SSL Certificate in Google Cloud Certificate Manager

# Log into Google Cloud and update Application Default Credentials
gcloud auth application-default login
# The following command will ask password for private key, even if it's
# unencrypted. In such case, input nothing but enter when prompted for
# password.
mkcertchain gcp \
    --api certificatemanager \
    --project my-project my-certificate \
    server.cert.pem server.key.pem

Example 5: Create SSL Certificate in AWS with PKCS#12 bundle

# The following command will ask password for unpack PKCS#12 bundle, even
# if it's unencrypted.
# In such case, input nothing but enter when prompted for password.
mkcertchain aws --cert-type=pkcs12 \
    --profile=aws-cli-profile --region=ap-northeast-1 \
    server.pfx

Example 6: Call CLI via Python module

python3 -m make_certificate_chain --help
# This is effectively the same as the following
# mkcertchain --help