Easy-to-use command-line tool for certificate management.
- Simple command-line UI.
- Good defaults, sets up common extensions automatically.
- PGP- and password-protected private keys.
- OCSP and CRL info settings.
- Supports both EC and RSA keys.
- Python cryptography module (version >= 2.1).
- (Optional) gpg command-line tool to decrypt files.
- (Optional) openssl command-line tool to show CRT/CSR contents.
Generate new key:
sysca new-key [--password-file TXT_FILE] [--out DST] sysca new-key ec[:<curve>] [--password-file TXT_FILE] [--out DST] sysca new-key rsa[:<bits>] [--password-file TXT_FILE] [--out DST]
Create certificate signing request:
sysca request --key KEY_FILE [--password-file TXT_FILE]
[--subject DN] [--san ALTNAMES]
[--CA] [--path-length DEPTH]
[--usage FLAGS] [--ocsp-url URLS] [--crl-url URLS]
[--issuer-cert-url URLS]
[--out CSR_FN]
Create selfsigned certificate:
sysca selfsign --key KEY_FILE --days N [--password-file TXT_FILE]
[--subject DN] [--san ALTNAMES]
[--CA] [--path-length DEPTH]
[--usage FLAGS] [--ocsp-url URLS] [--crl-url URLS]
[--issuer-cert-url URLS]
[--out CRT_FN]
Sign certificate signing request:
sysca sign --ca-key KEY_FILE --ca-info CRT_FILE
--request CSR_FILE --days NUM
[--out CRT_FN] [--password-file TXT_FILE]
[--reset ...]
Create or update CRL file:
sysca update-crl [--crl CRL_FILE] [--out CRT_FN]
--ca-key KEY_FILE --ca-info CRT_FILE [--password-file TXT_FILE]
--days NUM [--crl-number NUM] [--delta-crl-number NUM]
[--reason REASON_NAME]
[--revoke-cert CERT_FILE] ...
[--revoke-serial SERIAL] ...
Display contents of CRT, CSR or CRL file:
sysca show FILE
Generate new key.
Takes key type as optional argument. Value can be either ec:<curve>,
rsa:<bits> or dsa:<bits>. Shortcuts: ec is ec:secp256r1,
rsa is rsa:2048, dsa is dsa:2048. Default: ec.
Suggested curves for EC: secp256r1, secp384r1, secp521r1, ed25519.
Options:
- --password-file FILE
- Password will be loaded from file. Can be PGP-encrypted. Resulting private key will be encrypted with this password.
- --out DST_FN
- Target file to write key to. It's preferable to write to stdout and encrypt with GPG.
Create certificate signing request (CSR).
Options:
- --out CSR_FILE
- Target file to write Certificate Signing Request to.
- --key KEY_FILE
- Private key file to create request for. Can be PGP-encrypted. Can be password-protected.
- --password-file FN
- Password file for private key. Can be PGP-encrypted.
- --subject DN
Subject's DistinguishedName which is X509 Name structure, which is collection of key-value pairs.
Each pair is separated with "/", key and value are separated with "=". Surrounding whitespace around both "/" and "=" will be stripped. "\" can be used for escaping.
Most important field: CN=commonName.
Common fields: O=organizationName, OU=organizationalUnit, C=countryName, L=locality, ST=stateOrProvinceName.
Less common fields: SN=surname, GN=givenName, T=title, P=pseudonym, SA=streetAddress.
Example:
--subject "/CN=www.example.com/ O=My Company / OU = DevOps"Default: empty.
Certificate field: Subject.
- --CA
The certificate will have CA rights - that means it can sign other certificates.
Extension: BasicConstraints.
- --path-length
Applies only for CA certs - limits how many levels on sub-CAs can exist under generated certificate. Default: Undefined.
Extension: BasicConstraints.
- --san ALT_NAMES
Specify alternative names for subject as list of comma-separated strings, that have prefix that describes data type.
Supported prefixes:
- dns
- Domain name.
- Email address. Plain addr-spec (local_part @ domain) is allowed here, no <> or full name.
- ip
- IPv4 or IPv6 address.
- uri
- Uniform Resource Identifier.
- dn
- DirectoryName, which is X509 Name structure. See
--subjectfor syntax.
Example:
--san "dns: *.example.com, dns: www.foo.org, ip: 127.0.0.1 "Extension: SubjectAlternativeName.
Options useful only when apps support them:
- --usage USAGE_FLAGS
Comma-separated keywords that set KeyUsage and ExtendedKeyUsage flags.
ExtendedKeyUsage flags, none set by default.
- client
- TLS Web Client Authentication.
- server
- TLS Web Server Authentication.
- code
- Code signing.
- E-mail protection.
- time
- Time stamping.
- ocsp
- OCSP signing.
- any
- All other purposes too that are not explicitly mentioned.
KeyUsage flags, by default CA certificate will have
key_cert_signandcrl_signset, non-CA certificate will havedigital_signatureandkey_enciphermentset but only if no--usagewas given by user.- digital_signature
- Allowed to sign anything that is not certificate for key.
- key_agreement
- Key is allowed to use in key agreement.
- key_cert_sign
- Allowed to sign certificates for other keys.
- crl_sign
- Allowed to sign certificates for certificate revocation lists (CRLs).
- key_encipherment
- Secret keys (either private or symmetric) can be encrypted against public key in certificate. Does not apply to session keys, but standalone secret keys?
- data_encipherment
- Raw data can be encrypted against public key in certificate. [Bad idea.]
- content_commitment
- Public key in certificate can be used for signature checking in "seriously-i-mean-it" environment. [Historical.]
- encipher_only
- If
key_agreementis true, this flag limits use only for data encryption. - decipher_only
- If
key_agreementis true, this flag limits use only for data decryption.
- --ocsp-nocheck
Disable OCSP checking for this certificate. Used for certificates that sign OCSP status replies.
Extension: OCSPNoCheck.
- --ocsp-must-staple
Requires that TLS handshake must be done with stapled OCSP response using
status_requestprotocol.Extension: OCSPMustStaple.
- --ocsp-must-staple-v2
Requires that TLS handshake must be done with stapled OCSP response using
status_request_v2protocol.Extension: OCSPMustStapleV2.
- --crl-url URLS
List of URLs where certificate revocation lists can be downloaded.
Extension: CRLDistributionPoints.
- --ocsp-url URLS
List of URL for OCSP endpoint where validity can be checked.
Extension: AuthorityInformationAccess.
- --issuer-url URLS
List of URLS where parent certificate can be downloaded, in case the parent CA is not root CA. Usually sub-CA certificates should be provided during key-agreement (TLS). This setting is for situations where this cannot happen or for fallback for badly-configured TLS servers.
Extension: AuthorityInformationAccess.
- --exclude-subtrees NAME_PATTERNS
- Disallow CA to sign subjects that match patterns. See
--permit-subtreesfor details. - --permit-subtrees NAME_PATTERNS
Allow CA to sign subjects that match patterns.
Specify patters for subject as list of comma-separated strings, that have prefix that describes data type.
Supported prefixes:
- dns
- Domain name.
- Email address. Plain addr-spec (local_part @ domain) is allowed here, no <> or full name.
- net
- IPv4 or IPv6 network.
- uri
- Uniform Resource Identifier.
- dn
- DirectoryName, which is X509 Name structure. See
--subjectfor syntax.
Extension: NameConstraints.
Create signed certificate based on data in request. Any unsupported extensions in request will cause error.
It will add SubjectKeyIdentifier and AuthorityKeyIdentifier extensions to final certificate that help to uniquely identify both subject and issuers public keys. Also IssuerAlternativeName is added as copy of CA cert's SubjectAlternativeName extension if present.
Options:
- --out CRT_FILE
- Target file to write certificate to.
- --days NUM
- Lifetime for certificate in days.
- --request CSR_FILE
- Certificate request file generated by request command.
- --ca-key KEY_FILE
- CA private key file. Can be PGP-encrypted. Can be password-protected.
- --ca-info CRT_FILE
- CRT file generated by request command. Issuer CA info will be loaded from it.
- --password-file FN
- Password file for CA private key. Can be PGP-encrypted.
- --reset
- Do not use any info fields from CSR, reload all info from command line. Without it, all info from CSR is kept and command line is ignored.
This commands takes same arguments as request plus --days NUM.
Preferable to use with --CA and --usage options.
Creates or updates Certificate Revocation List file.
CRL file can be either full or delta:
- full
- Contains full set of revoked certificates. Options:
--crl-number=CUR- delta
- Contains only certificates missing from older CRL version. Options:
--delta-crl-number=OLD --crl-number=CUR
CRL file can be either direct or indirect:
- direct
- All revoked certificates belong to signer that issues CRL.
- indirect
- Revoked certificates contain reference to actual CA that issued. Set with option:
--indirect-crl.
Options for CRL itself:
- --crl FN
- Load existing file. Version numbers are reused unless overrided on command line.
- --out FN
- Write output to file.
- --days NUM
- Set period that this CRL is valid.
- --ca-key KEY_FILE
- CA private key file. Can be PGP-encrypted. Can be password-protected.
- --ca-info CRT_FILE
- CA certificate used for signing.
- --crl-number VER
Version number for main CRL.
Extension: CRLNumber.
- --delta-crl-number VER
Version number of prevous CRL that this delta is from.
Extension: DeltaCRLNumber.
- --crl-scope SCOPE
CRL scope, one of: all, user, ca, attr. Default: all
This flags shows that CRL contains only specific types of certificates.
- all
- All types. Default.
- user
- Only user certificates.
- ca
- Only CA certificates.
- attr
- Only attribute certificates.
Extension: CRLIssuingDistributionPoint.
- --indirect-crl
CRL list can contain revoked certificates not issued by CRL signer.
Extension: CRLIssuingDistributionPoint.
- --issuer-urls URLS
Override issuer URLs. Default: taken from signer certificate.
Extension: CRLAuthorityInformationAccess.
Options for adding entries:
- --revoke-certs FN [FN ...]
- Filenames of certificates to add.
- --revoke-serials NUM [NUM ...]
- Certificate serial numbers to add.
- --reason REASON
Revocation reason. Used for all entries added in one command. One of:
- key_compromise
- Private key compromise.
- ca_compromise
- CA key compromise.
- affiliation_changed
- Current certificate is obsolete. Another CA is being responsible.
- superseded
- Current certificate is obsolete. New certificate has been issued.
- cessation_of_operation
- Current certificate is obsolete. CA shut down.
- privilege_withdrawn
- Certificate attributes are not valid anymore.
- aa_compromise
- Provider of attributes to certificate has been compromised.
- certificate_hold
- Temporary entry, actual reason will follow later.
- remove_from_crl
- Certificate should not be in CRL anymore.
- unspecified
- Default, means no reason has been provided.
Extension: CRLReason.
- --invalidity-date DATE
Consider certificate invalid from date. Optional, if missing revocation date is used.
Extension: CRLInvalidityDate.
Display contents of CSR or CRT file.
Private keys can be stored unencryped, encrypted with PGP, encrypted with password or both. Unencrypted keys are good only for testing. Good practice is to encrypt both CA and end-entity keys with PGP and use passwords only for keys that can be deployed to servers with password-protection.
For each key, different set of PGP keys can be used that can decrypt it:
$ sysca new-key | gpg -aes -r "[email protected]" -r "[email protected]" > CA.key.gpg $ sysca new-key | gpg -aes -r "[email protected]" -r "[email protected]" > server.key.gpg
Self-signed CA example:
$ sysca new-key | gpg -aes -r "[email protected]" > TestCA.key.gpg $ sysca selfsign --key TestCA.key.gpg --subject "/CN=TestCA/O=Gov" --CA > TestCA.crt
Sign server key:
$ sysca new-key | gpg -aes -r "[email protected]" > Server.key.gpg $ sysca request --key Server.key.gpg --subject "/CN=web.server.com/O=Gov" > Server.csr $ sysca sign --days 365 --request Server.csr --ca-key TestCA.key.gpg --ca-info TestCA.crt > Server.crt
Although SysCA allows to set various extension parameters, that does not mean any software that uses the certificates actually looks or acts on the extensions. So it's reasonable to set up only extensions that are actually used.