A user-friendly command-line tool for managing Certificate Authorities (CAs) and issuing TLS/SSL certificates.
- 🔐 Multi-CA Management - Create and manage multiple Certificate Authorities
- 📜 Easy Certificate Issuance - Issue server certificates with auto-populated defaults
- 🎨 Colorful CLI - Beautiful, intuitive command-line interface
- ⚙️ YAML Configuration - Optional configuration file for defaults
- 🚀 No Root Required - Runs entirely in userspace
- 🔍 Config Introspection - See where each setting comes from
- 💾 Persistent Storage - Organized directory structure for all certificates
- 🎯 Smart Defaults - Auto-detect CN, SAN, and CA when possible
- 📊 Human-Friendly Output - Clear certificate summaries
- 🔒 Trust Bundle Management - Easy CA distribution for Ubuntu, RHEL, Alpine, K8s, containers
# 1. Initialize storage
./certmgr init
# 2. Create a CA
./certmgr ca create -n myca
# 3. Issue a certificate (minimal)
./certmgr cert issue -n myserver
# 4. View certificate details
./certmgr cert show -n myserver
# 5. Create trust bundle and export for Ubuntu
./certmgr trust bundle -n all --ca all
./certmgr trust export -n all --format ubuntu -o install.sh
# 6. Check configuration
./certmgr config# Clone the repository
git clone https://github.com/yourusername/certmgr.git
cd certmgr
# Make executable
chmod +x certmgr
# Install to /usr/local/bin
make install- Bash 4.0+
- OpenSSL
For faster workflows:
certmgr c new -n myca # Create CA (short form)
certmgr c ls # List CAs
certmgr i -n server # Issue certificate (short form)
certmgr cert ls # List certificates
certmgr t bundle -n all --ca all # Create trust bundle (short form)
certmgr t ls # List trust bundlescertmgr initCreates the directory structure:
certs/
├── CAs/ # Certificate Authorities
├── issued/ # Issued certificates
└── trust/ # Trust bundles
Create a CA:
# Minimal
certmgr ca create -n production-ca
# With custom subject
certmgr ca create -n myca \
--subject "/C=US/O=Acme/CN=Acme Root CA" \
--days 3650 \
--key-bits 4096 \
--digest sha384List CAs:
certmgr ca listShow CA details:
certmgr ca show -n production-caMinimal (everything auto-detected):
certmgr cert issue -n myserver
# Auto-detects: CN=myserver, SAN=myserver, uses only available CAWith custom options:
certmgr cert issue -n web01 \
--cn web01.example.com \
--san "web01.example.com,www.example.com,192.168.1.10" \
--ca production-ca \
--days 825List certificates:
certmgr cert listShow certificate details:
certmgr cert show -n web01Output:
— Certificate Summary —
Name: web01
CN: web01.example.com
SANs: web01.example.com,www.example.com,192.168.1.10
Issuer: production-ca Root CA
Validity: 2025-01-01 → 2027-03-01
Files:
Key: certs/issued/web01/server.key
Cert: certs/issued/web01/server.crt
Chain: certs/issued/web01/chain.crt
Trust bundles make it easy to distribute your CAs to systems, containers, and Kubernetes clusters.
Create a trust bundle with all CAs:
certmgr trust bundle -n all-cas --ca allCreate a trust bundle with specific CAs:
certmgr trust bundle -n prod-staging --ca production-ca,staging-caList trust bundles:
certmgr trust listShow bundle details:
certmgr trust show -n all-casExport for different platforms:
# PEM format (universal)
certmgr trust export -n all-cas --format pem -o ca-bundle.pem
# Ubuntu/Debian installation script
certmgr trust export -n all-cas --format ubuntu -o install-ubuntu.sh
chmod +x install-ubuntu.sh
sudo ./install-ubuntu.sh
# RHEL/CentOS/Fedora installation script
certmgr trust export -n all-cas --format rhel -o install-rhel.sh
# Alpine Linux installation script
certmgr trust export -n all-cas --format alpine -o install-alpine.sh
# Dockerfile snippets for containers
certmgr trust export -n all-cas --format dockerfile -o Dockerfile.ca
# Kubernetes ConfigMap
certmgr trust export -n all-cas --format k8s -o ca-bundle-configmap.yaml
kubectl apply -f ca-bundle-configmap.yamlUse in Kubernetes Pod:
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
volumes:
- name: ca-bundle
configMap:
name: all-cas-ca-bundle
containers:
- name: myapp
image: myapp:latest
volumeMounts:
- name: ca-bundle
mountPath: /etc/ssl/certs/ca-bundle.crt
subPath: ca-bundle.crtUse in Dockerfile:
FROM ubuntu:latest
COPY all-cas.crt /usr/local/share/ca-certificates/
RUN apt-get update && \
apt-get install -y ca-certificates && \
update-ca-certificatesView current configuration:
certmgr configShows configuration with source attribution:
[default]- Built-in defaults[yaml:key]- From YAML config file[env:VAR]- From environment variable
Environment Variables:
export CERTMGR_DIR=/custom/path/certs
export CERTMGR_CONFIG=/path/to/config.yaml
export OPENSSL_BIN=/custom/opensslYAML Configuration (certmgr.yaml):
base_dir: /opt/certificates
openssl_bin: /usr/bin/openssl
cas:
production:
subject: "/C=US/O=Acme/CN=Acme Production Root"
days: 3650
key_bits: 4096
digest: sha256
staging:
subject: "/C=US/O=Acme/CN=Acme Staging Root"
days: 1825
key_bits: 2048
digest: sha256Comprehensive BATS test suite with 60+ test cases:
# Run all tests
make test
# Run specific suite
make test-ca # CA operations
make test-cert # Certificate issuance
make test-aliases # Command aliases
make test-config # Config introspection
make test-e2e # End-to-end workflows
# View coverage
make test-coverage
# CI pipeline
make ciSee tests/README.md for detailed testing documentation.
# Basic workflow demonstration
make demo-basic
# Command aliases demonstration
make demo-aliases
# Multi-CA environment
make demo-multi-ca# Check script syntax
make check
# Lint with shellcheck
make lint
# Run all checks
make test-all
# View all make targets
make helpcertmgr/
├── certmgr # Main script
├── Makefile # Build and test automation
├── README.md # This file
├── certmgr.yaml # Optional configuration (user-created)
├── certs/ # Certificate storage (created by init)
│ ├── CAs/ # Certificate Authorities
│ │ └── myca/
│ │ ├── ca.crt
│ │ ├── private.key
│ │ ├── serial.txt
│ │ └── index.txt
│ └── issued/ # Issued certificates
│ └── myserver/
│ ├── server.key
│ ├── server.csr
│ ├── server.crt
│ ├── chain.crt
│ └── openssl.cnf
└── tests/ # BATS test suite
├── test_helper.bash
├── 01_init.bats
├── 02_ca_operations.bats
├── 03_cert_issuance.bats
├── 04_aliases.bats
├── 05_config_introspection.bats
├── 06_human_friendly_output.bats
├── 07_e2e_workflows.bats
├── fixtures/
│ ├── basic-config.yaml
│ ├── minimal-config.yaml
│ ├── advanced-config.yaml
│ └── custom-openssl.yaml
└── README.md
certmgr init
certmgr ca create -n myca
certmgr cert issue -n server01
certmgr cert show -n server01certmgr init
certmgr ca create -n prod-ca --subject "/C=US/O=Prod/CN=Prod Root"
certmgr ca create -n dev-ca --subject "/C=US/O=Dev/CN=Dev Root"
certmgr cert issue -n prod-web --ca prod-ca --cn web.prod.com
certmgr cert issue -n dev-test --ca dev-ca --cn test.dev.local
certmgr ca list
certmgr cert listcertmgr c new -n quick-ca
certmgr i -n quick-server
certmgr c ls
certmgr cert ls- Fork the repository
- Create a feature branch
- Add tests for new features
- Ensure
make cipasses - Submit a pull request
MIT License - see LICENSE file for details
- Report issues: GitHub Issues
- Documentation: This README and
tests/README.md - Run
certmgr helpfor command reference
- Certificate renewal workflow
- CRL (Certificate Revocation List) support
- OCSP responder setup
- Intermediate CA support
- Client certificate issuance
- Bulk certificate operations
- Integration with popular web servers
- Docker container support