Skip to content

jacky9813/make-certificate-chain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
.github
.github
 
 
make_certificate_chain
make_certificate_chain
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.rst
README.rst
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

Make Certificate Chain

This program helps system administrators to configure a Web Service that provides full SSL/TLS chain when handshaking.

With server provides all the certificates needed, it is possible to gain a little performance benefit for client verifying the server certificate.

The output of the certificate chain will follow the requirements for TLS 1.2 Server Certificate

Note

This program leverages on the existence of CAIssuers field (OID: 1.3.6.1.5.5.7.48.2).

Certificate Validation

User shouldn't seen SSL handshake error due to invalid certificate. This program also validates all certificates in chain. These are the items being checked across all certificates in chain:

  • Signature
  • Issuer name and subject name in issuer's certficate.
  • Dates (Not Before, Not After)

Supported Certificate Formats / Encodings

  • X.509 in PEM or DER encoding (--cert-type=x509)
  • PKCS#7 certificates bundle in PEM or DER encoding (--cert-type=pkcs7)
  • PKCS#12 certificates and key bundle in DER encoding (--cert-type=pkcs12)

Important

For PKCS#12 bundle, when importing certificate into cloud services, this program will only use bundled private key.

If the bundle doesn't contain the key, the program will fail.

Important

For containers capable of bundling multiple certificates (X.509 in PEM, PKCS#7, PKCS#12), only the first certificate will be parsed by this program.

Supported Importing Destinations

System Requirements

  • Python 3.8 or later
  • For import certificate to cloud services:
    • AWS CLI for import certificate to AWS Certificate Manager (ACM)
    • Google Cloud CLI for import certificate to Google Cloud

Install & Upgrade

pip install -U git+https://github.com/jacky9813/make-certificate-chain

Usage

Note

Unlike OpenSSL, this program detects the format automatically, so you don't have to put -inform equivalent parameter.

Example 1: Simple usage

mkcertchain output-only example.cert.pem > example.chain.pem

Example 2: Piped from stdout

echo "" | openssl s_client -connect www.example.com:443 | mkcertchain output-only > example.com.chain.pem

Example 3: Create SSL Certificate in Google Cloud

# Log into Google Cloud and update Application Default Credentials
gcloud auth login --update-adc
# The following command will ask password for private key, even it's unencrypted.
# In such case, input nothing but enter when prompted for password.
mkcertchain gcp --project my-project my-certificate server.cert.pem server.key.pem

Example 4: Create SSL Certificate in AWS with PKCS#12 bundle

# The following command will ask password for unpack PKCS#12 bundle, even it's unencrypted.
# In such case, input nothing but enter when prompted for password.
mkcertchain aws --cert-type=pkcs12 --profile=aws-cli-profile --region=ap-northeast-1 server.pfx

Example 5: Via Python module

python3 -m make_certificate_chain --help

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages