This program helps system administrators to configure a Web Service that provides full SSL/TLS chain when handshaking.
With server provides all the certificates needed, it is possible to gain a little performance benefit for client verifying the server certificate.
The output of the certificate chain will follow the requirements for TLS 1.2 Server Certificate
Note
This program leverages on the existence of CAIssuers field
(OID: 1.3.6.1.5.5.7.48.2
).
User shouldn't seen SSL handshake error due to invalid certificate. This program also validates all certificates in chain. These are the items being checked across all certificates in chain:
- Signature
- Issuer name and subject name in issuer's certficate.
- Dates (Not Before, Not After)
- X.509 in PEM or DER encoding (
--cert-type=x509
) - PKCS#7 certificates bundle in PEM or DER encoding (
--cert-type=pkcs7
) - PKCS#12 certificates and key bundle in DER encoding (
--cert-type=pkcs12
)
Important
For PKCS#12 bundle, when importing certificate into cloud services, this program will only use bundled private key.
If the bundle doesn't contain the key, the program will fail.
Important
For containers capable of bundling multiple certificates (X.509 in PEM, PKCS#7, PKCS#12), only the first certificate will be parsed by this program.
- AWS - AWS Certificate Manager (ACM)
- Google Cloud - Global/Regional SSL Certificates
- Python 3.8 or later
- For import certificate to cloud services:
- AWS CLI for import certificate to AWS Certificate Manager (ACM)
- Google Cloud CLI for import certificate to Google Cloud
pip install -U git+https://github.com/jacky9813/make-certificate-chain
Note
Unlike OpenSSL, this program detects the format automatically, so you don't have to put
-inform
equivalent parameter.
mkcertchain output-only example.cert.pem > example.chain.pem
echo "" | openssl s_client -connect www.example.com:443 | mkcertchain output-only > example.com.chain.pem
# Log into Google Cloud and update Application Default Credentials
gcloud auth login --update-adc
# The following command will ask password for private key, even it's unencrypted.
# In such case, input nothing but enter when prompted for password.
mkcertchain gcp --project my-project my-certificate server.cert.pem server.key.pem
# The following command will ask password for unpack PKCS#12 bundle, even it's unencrypted.
# In such case, input nothing but enter when prompted for password.
mkcertchain aws --cert-type=pkcs12 --profile=aws-cli-profile --region=ap-northeast-1 server.pfx
python3 -m make_certificate_chain --help