createcacert.py
Create a Certificate Authority certificate using the createcacert.py script in FairCom Certificate Manager
Create a CA certificate using the createcert.py script in FairCom certificate manager
A CA certificate, is a digital certificate that a trusted third-party called a Certificate Authority (CA) issues to help create a digital trust chain. CAs are also known as PKI Certificate Authorities because they issue digital certificates based on public key infrastructure (PKI).
This script creates an internal CA certificate and its private key which can be used to create server certificates and client certificates for use on your company's internal network. Use importcert.py to register the CA certificate on client computers so they trust it. Register the CA certificate with client applications to validate the identity of the internal servers they connect to.
Important
Enter either an absolute path or a relative path. If you enter certificates, all files will be in a directory named "certificates" within your current directory. Ensure this directory is secure (not shared) and is backed up properly.
Easy
Run the Python script createcacert.py without command-line arguments, and it prompts you for the following information:
Company name
Directory to store your certificates
Number of years until the CA certificate expires
Important
Choose the expiration carefully. CA certificates typically expire in 10, 20, or 30 years. When a CA certificate expires, you must regenerate all server certificates and client certificates. The CA certificate must also be redistributed to client software and re-imported into computers.
Note
This is a summary of what is displayed. It does not show everything that is displayed.
Welcome to FairCom's CA Key Pair Creator For help, run this program with the '-h' option. Enter your company's name: __________ Enter the name of a directory where certificates will be stored Certificates will be stored in directories in this location. Ensure this directory is secure (not shared), and is backed up properly. Directory: __________ Enter the number of years when the CA certificate will expire. Default expiration is 10 years. When a CA certificate expires, it and all certificates that use it must be replaced on operating systems, servers, and client software. Years [10]: __________ Press ENTER to proceed. Press x, to exit without any changes. Successfully created and saved 2 of 2 files:
The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.
The "ca_key\ca.key" file holds your private CA key, and must never be shared.
The "Expires_On_ . . . .\ca.crt" file holds your public CA Certificate, which is meant to be shared.
Advanced
Run the Python script createcacert.py with command-line parameters:
python createcacert.py --bits 4096 --certManagementFolder Certs --cipher sha256 --commonName "MyCompany Private Certificate Authority" --country US --email support@MyCompany.com --location Columbia --months 13 --org MyCompany --outCertFile example.pem --outKeyFile example.key --passphrase MyPassword --serial 1 --singleFile False --state Missouri --unit ITpython createcacert.py --certManagementFolder Certs --commonName "MyCompany Private Certificate Authority" --country US --location Columbia --months 13 --org MyCompany --state Missouri --unit IT
Command-line options
usage: createcacert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]] [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]] [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]] [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]] [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]
FairCom's CA Key Pair Creator
options:
-h, --help
show this help message and exit
--altName [ALTNAME ...]
A space delimited list of Subject Alternative Names.
--altNameFile [ALTNAMEFILE]
A filename to load Subject Alternative Names from. One entry per line. Will be ignored if --altName is present.
--bits [BITS]
The bit-depth to use when generating the private key. Defaults to 4096.
--caCertFile [CACERTFILE]
The CA certificate filename. Ignored when generating new CA key pairs.
--caKeyFile [CAKEYFILE]
The CA key filename. Ignored when generating new CA key pairs.
--caKeyFilePass [CAKEYFILEPASS]
An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA key pairs.
--certManagementFolder [CERTMANAGEMENTFOLDER]
The base directory to store saved files in.
--cipher [CIPHER]
The cipher to use for encryption and decryption. Defaults to sha256.
--commonName [COMMONNAME]
The Common Name is a string used to identify the certificate.
--country [COUNTRY]
A two-letter country designation.
--email [EMAIL]
An email address to associate with the output certificate.
--inputDirectory [INPUTDIRECTORY]
The directory containing certificates to renew. Used only by renewcert.py
--location [LOCATION]
The certificate organization location or city.
--months [MONTHS]
The certificate validity duration.
--org [ORG]
The certificate organization name.
--outCertFile [OUTCERTFILE]
The output certificate filename.
--outKeyFile [OUTKEYFILE]
The output key filename.
--passphrase [PASSPHRASE]
If provided, the new key will be encrypted using this passphrase.
--revokeSerialNumbers [REVOKESERIALNUMBERS ...]
A space delimited list of serial numbers to revoke. Used only by revokecert.py
--selfSigned [SELFSIGNED]
If true, the server/client key will sign the new certificate rather than a CA key. Defaults to False. Ignored when generating new CA key pairs.
--serial [SERIAL]
The serial number is an integer used to identify the certificate. When a certificate is revoked, this number is how the revoked certificate is identified.
--singleFile [SINGLEFILE]
If true, both the key and certificate will be saved in the certificate file. Defaults to False. Ignored when generating new CA key pairs.
--state [STATE]
The certificate organization state or province.
--unit [UNIT]
The certificate organization Unit or department.When no command-line options are present, the script prompts for the user's company name, a folder, and the number of years before the certificate expires.
When command-line options are used, the script does not prompt the user for additional information. The options you specify are the only ones used.
If the -h command-line option is used, all other options are ignored. The help is displayed and you are returned to the command prompt.
The
createcacert.pyutility script uses the Python cryptography library to perform the cryptographic functions.When a key file is created, the cryptography library generates a random (pseudo-random) sequence of data.
Using more bits is more secure, but results in more complicated cryptographic computations, which can slow down your server.
Using fewer bits will improve the performance of communications, but might make those communications insecure. A safe range as of 2023 is between 2048 and 4096 bits.
When a certificate is generated, additional information can be included. That information typically includes the organization (company), common name (description of the server), the Subject Alternative Name (SAN), and more. That information will be used with the key to generate the final certificate and be attached to the certificate as metadata, which can be queried by software to help determine who the certificate belongs to.
The company name will be used as the Organization in the signed certificates you will later create and will be the basis for the Common Name.
The owner of a certificate is called an organization and is usually a company. There is no requirement that the organization be a company, and many certificates are owned and managed by individuals.
Most certificates on the internet are signed by a public CA. When a server is not connected to the internet, a public CA company cannot sign the certificate because the CA cannot reach the server to authenticate it. Ways of securing a server in this circumstance are creating a private certificate authority or using a self-signed certificate.
When a CA certificate expires, communications using that certificate and all server and client certificates which are based on that certificate no longer work. The recommended expiration date for a CA certificate is 10, 20, or 30 years. When a signed certificate expires, it must be replaced by a new signed certificate everywhere it is used, such as operating systems, browsers, and other software.
CA Key pair files
Filename | Purpose | Notes | ||
|---|---|---|---|---|
| CA key file |
| ||
| CA certificate file |
|
Script default values
Note
The following are default values used by the createcacert.py script.
Setting | Default | Description |
|---|---|---|
Cipher |
| Considered secure as of 2023 |
Bit depth |
| Considered secure as of 2023 |
Org name |
| The company name you enter |
Common name |
| The company name you enter plus the text "Private Certificate Authority" |
Serial number | current time stamp + serial number | The current time and serial number in yyyy-mm-dd hh:mm:ss.ssssss sn format. Example: 20230926174242421981000000001 is 2023-09-26 17:42:42.421981 000000001 "00000001" is the first serial number assigned and is incremented for each certificate created. NoteThis value is helpful in uniquely identifying the version of the certificate. |