Skip to main content


  • When no command line options are present, the script prompts for the user's company name and the number of months before the certificate expires.

  • When command line options are used, the script does not prompt the user for additional information. The options you specify are the only ones used.

  • If the -h command line option is used, all other options are ignored. The help is displayed and you are returned to the command prompt.

  • The utility script uses the Python cryptography library to perform the cryptographic functions.

  • When a key file is created, the cryptography library generates a random (pseudo-random) sequence of data.

    • Using more bits is more secure, but results in more complicated cryptographic computations, which can slow down your server.

    • Using fewer bits will improve the performance of communications, but might make those communications insecure.  A safe range as of 2023 is between 2048 and 4096 bits.

  • When a certificate is generated, additional information can be included. That information typically includes the organization (company), common name (description of the server), the Subject Alternative Name (SAN), and more. That information will be used with the key to generate the final certificate and be attached to the certificate as metadata, which can be queried by software to help determine who the certificate belongs to.

  • The common name is the description of the certificate or key pair. It used to be the primary method of authenticating a server, but the role of authentication has moved to the SAN.

  • The owner of a certificate is called an organization and is usually a company. There is no requirement that the organization be a company, and many certificates are owned and managed by individuals.

  • Most certificates on the internet are signed by a public CA. When a server is not connected to the internet, a public CA company cannot sign the certificate because they CA cannot reach the server to authenticate it. Ways of securing a server in this circumstance are creating a private certificate authority or using a self-signed certificate.


Run without command-line arguments, and you are prompted for necessary values as shown below: (See also the Create certificate authority tutorial.


When exiting, the utility outputs help information.

Welcome to FairCom's CA key pair utility

Enter your company's name: ____________________

Enter the name of a directory where certificates will be stored
Certificates will be stored in directories in this location.
Ensure this directory is secure (not shared), and is backed up properly.
Directory: __________

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
    such as operating systems, browsers, and other software.
Months [13]: __

Press ENTER to create the CA key pair files.
Press x, to exit without creating the CA key pair files. 

Successfully created and saved 2 of 2 files:

Run with command-line parameters

python --certManagementFolder Certs --commonName "MyCompany Private Certificate Authority" --country US --location Columbia --months 13 --org MyCompany --state Missouri --unit IT

Command line options

usage: [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]] [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]] [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]                       [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]                       [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]

FairCom's CA Key Pair Creator

  -h, --help
         show this help message and exit
  --altName [ALTNAME ...]
         A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
         A filename to load Subject Alternative Names from. One entry per line. Will be ignored if --altName is present.
  --bits [BITS]
         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
         The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
         The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
         An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
         The base directory to store saved files in.
  --cipher [CIPHER]
         The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
         The Common Name is a string used to identify the certificate.
  --country [COUNTRY]
         A two-letter country designation.
  --email [EMAIL]
         An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
         The directory containing certificates to renew. Used only by
  --location [LOCATION]
         The certificate organization location or city.
  --months [MONTHS]
         The certificate validity duration.
  --org [ORG]
         The certificate organization name.
  --outCertFile [OUTCERTFILE]
         The output certificate filename.
  --outKeyFile [OUTKEYFILE]
         The output key filename.
  --passphrase [PASSPHRASE]
         If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
         A space delimited list of serial numbers to revoke. Used only by
  --selfSigned [SELFSIGNED]
         If true, the server/client key will sign the new certificate rather than a CA key. Defaults to False. Ignored when generating new CA key pairs.
  --serial [SERIAL]
         The serial number is an integer used to identify the certificate. When a certificate is revoked, this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
         If true, both the key and certificate will be saved in the certificate file. Defaults to False. Ignored when generating new CA key pairs.
  --state [STATE]
         The certificate organization state or province.
  --unit [UNIT]
         The certificate organization Unit or department.

When creating server certificates, the SAN contains one or more addresses of the server and is used by clients to validate that the address they connected to has a certificate that is valid for that address — for example, if you connect your browser to and the certificate that site returns is for, your browser will know that the site and/or certificate should not be trusted. Because of this, the SAN is essential for a server, but less important for a CA key pair or a client key pair.

The common name used to be what a client used to validate the server's address against. Since the advent of multi-domain certificates, the server address is validated against the contents of the SAN.

If you have to support a client that cannot use the SAN to validate the server address, that client is likely running an old encryption engine and should be audited for security risks.


Contents of a SAN file example

SAN on the command line example

--san ",,IP:,DNS:localhost,IP:"