Skip to main content

Tools

Scripts to create and manage certificates

Abstract

Scripts to create and manage certificates

This script creates an internal CA certificate and its private key. Use them to create server certificates and client certificates for use on your company's internal network. Use importcert.py to register the CA certificate on client computers so they trust it. Register the CA certificate with client applications to validate the identity of the internal servers they connect to.

Important

Enter either an absolute path or a relative path. If you enter certificates, all files will be in a directory named "certificates" within your current directory. Ensure this directory is secure (not shared) and is backed up properly.

Easy

Run the Python script createcacert.py without command-line arguments, and it prompts you for the following information:

  • Company name

  • Directory where to store the CA certificate

  • Number of months until the CA certificate expires

Important

Choose the expiration carefully. CA certificates typically expire in 10, 20, or 30 years. When a CA certificate expires, you must regenerate all server certificates and client certificates. The CA certificate must also be redistributed to client software and re-imported into computers.

Welcome to FairCom's CA key pair utility

Enter your company's name: __________

Enter the name of a directory where certificates will be stored
  Certificates will be stored in directories in this location.
  Ensure this directory is secure (not shared), and is backed up properly.
  Directory: __________

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
  such as operating systems, browsers, and other software.
  Months [13]: __

Press ENTER to create the CA key pair files.
Press x, to exit without creating the CA key pair files. 

Successfully created and saved 2 of 2 files:

The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

Advanced

Run the Python script createcacert.py with command-line parameters:

python createcacert.py --bits 4096 --certManagementFolder Certs --cipher sha256 --commonName "MyCompany Private Certificate Authority" --country US --email support@MyCompany.com --location Columbia --months 13 --org MyCompany --outCertFile example.pem --outKeyFile example.key --passphrase MyPassword --serial 1 --singleFile False --state Missouri --unit ITpython createcacert.py --certManagementFolder Certs --commonName "MyCompany Private Certificate Authority" --country US --location Columbia --months 13 --org MyCompany --state Missouri --unit IT

Command-line options

usage: createcacert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]] [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]] [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]                       [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]                       [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]

FairCom's CA Key Pair Creator

options:
  -h, --help
         show this help message and exit
  --altName [ALTNAME ...]
         A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
         A filename to load Subject Alternative Names from. One entry per line. Will be ignored if --altName is present.
  --bits [BITS]
         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
         The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
         The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
         An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
         The base directory to store saved files in.
  --cipher [CIPHER]
         The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
         The Common Name is a string used to identify the certificate.
  --country [COUNTRY]
         A two-letter country designation.
  --email [EMAIL]
         An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
         The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
         The certificate organization location or city.
  --months [MONTHS]
         The certificate validity duration.
  --org [ORG]
         The certificate organization name.
  --outCertFile [OUTCERTFILE]
         The output certificate filename.
  --outKeyFile [OUTKEYFILE]
         The output key filename.
  --passphrase [PASSPHRASE]
         If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
         A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
         If true, the server/client key will sign the new certificate rather than a CA key. Defaults to False. Ignored when generating new CA key pairs.
  --serial [SERIAL]
         The serial number is an integer used to identify the certificate. When a certificate is revoked, this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
         If true, both the key and certificate will be saved in the certificate file. Defaults to False. Ignored when generating new CA key pairs.
  --state [STATE]
         The certificate organization state or province.
  --unit [UNIT]
         The certificate organization Unit or department.
  • When no command-line options are present, the script prompts for the user's company name and the number of months before the certificate expires.

  • When command-line options are used, the script does not prompt the user for additional information. The options you specify are the only ones used.

  • If the -h command-line option is used, all other options are ignored. The help is displayed and you are returned to the command prompt.

  • The createcacert.py utility script uses the Python cryptography library to perform the cryptographic functions.

  • When a key file is created, the cryptography library generates a random (pseudo-random) sequence of data.

    • Using more bits is more secure, but results in more complicated cryptographic computations, which can slow down your server.

    • Using fewer bits will improve the performance of communications, but might make those communications insecure.  A safe range as of 2023 is between 2048 and 4096 bits.

  • When a certificate is generated, additional information can be included. That information typically includes the organization (company), common name (description of the server), the Subject Alternative Name (SAN), and more. That information will be used with the key to generate the final certificate and be attached to the certificate as metadata, which can be queried by software to help determine who the certificate belongs to.

  • The company name will be used as the Organization in the signed certificates you will later create and will be the basis for the Common Name.

  • The common name is the description of the certificate or key pair. It used to be the primary method of authenticating a server, but the role of authentication has moved to the SAN.

  • The owner of a certificate is called an organization and is usually a company. There is no requirement that the organization be a company, and many certificates are owned and managed by individuals.

  • Most certificates on the internet are signed by a public CA. When a server is not connected to the internet, a public CA company cannot sign the certificate because they CA cannot reach the server to authenticate it. Ways of securing a server in this circumstance are creating a private certificate authority or using a self-signed certificate.

  • When a certificate expires, communications using that certificate no longer work.  The recommended expiration is 13 months to give time to renew each year.  When a signed certificate expires, it must be replaced by a new signed certificate everywhere it is used, such as operating systems, browsers, and other software.

  • A summary is displayed of all command-line options and values that will be used when the command to perform this operation is run. You may want to make a copy of this information, so you can repeat this exact run in the future. Only the serial number will be different.

CA Key pair files

Table 1. CA key pair files

Filename

Purpose

Notes

ca.key

CA key file

WARNING! Store this key in a secure location. It is the "private" key of the key pair.
If malicious users gain access to this key, they can compromise network communications.

ca.crt

CA certificate file

The ca.crt file is freely distributed to sources that will need to validate your servers and clients as trustworthy.
It is recommended to create a new CA certificate and recreate certificates for your servers and clients every year.


Script default values

Note

The following are default values used by the createcacert.py script.

Table 2. The createcacert.py Python script default values

Setting

Default

Description

Cipher

sha256

Considered secure as of 2023

Bit depth

4096

Considered secure as of 2023

Org name

<myCompanyName>

The company name you enter

Common name

<myCompanyName> Private Certificate Authority

The company name you enter plus the text "Private Certificate Authority"

Serial number

current time stamp + serial number

The current time and serial number in yyyy-mm-dd hh:mm:ss.ssssss sn format.

Example:

20230926174242421981000000001

is 2023-09-26 17:42:42.421981 000000001

"00000001" is the first serial number assigned and is incremented for each certificate created.

Note

This value is helpful in uniquely identifying the version of the certificate.



This script creates a client certificate and its private key to use instead of a username and password when logging into a FairCom server. Register the client certificate with application software.

Important

Before running createclientcert.py, create a CA certificate using createcacert.py .

A company's CA administrator typically creates client certificates to authenticate user and software accounts.

Easy

Run the Python script createclientcert.py without command-line arguments, and it prompts you for the following information:

  • Company name

  • Directory where to store the client certificate

  • Number of months until the client certificate expires

  • Username of the account that the client certificate authenticates

  • Password to protect the private key embedded in the client certificate

  • Optional TCP/IP addresses or DNS names of client computers where the client certificate is allowed to be used

Welcome to FairCom Client TLS Key Pair Creator
For help, run this program with the '-h' option.

Enter your company's name: __________

Enter the name of a directory where certificates will be stored  
  Certificates will be stored in directories in this location.  
  Ensure this directory is secure (not shared), and is backed up properly.
  Directory: __________

Enter the number of months when the certificate will expire.  
  When a certificate expires, communications using that certificate no longer work.  
  Recommended expiration is 13 months to give time to renew each year.  
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is 
  used, such as operating systems, browsers, and other software.
  Months [23]: __

The 'Common Name' of a client certificate is typically used by the server as a username.
  Enter the Common Name of the client (this will be the name of the output files): ___________

Enter a passphrase to encrypt the key data, or ENTER the leave the key unsecured.
  Use only 7-bit ASCII characters: __________

Enter a filename that contains IP addresses and DNS names, or press ENTER to be prompted for this information:
  Enter one IP address or DNS name and press ENTER to enter another.  
  Pressing ENTER on an empty line will terminate address entry.  
  Enter a new IP address or DNS name: ___________  
  Enter a new IP address or DNS name: ___________  
  Enter a new IP address or DNS name:

Done collecting IP addresses and DNS names.

Enter an optional two-letter country code where your company is located: __

Enter an optional state/province where your company is located: __

Enter an optional city where your company is located: __________

Enter an optional department within your organization: __________

Enter an optional email address to associate with this certificate: __________

Loading the CA key from 'downloads\_ca_key\ca.key'
Loading the CA certificate from 'downloads\Expires_On_2026-04-14\ca.crt'

Successfully created and saved 1 of 1 files:  

The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

Advanced

Run the Python script createclientcert.py with command-line parameters:

python createclientcert.py --certManagementFolder Certs --commonName "MyCompany Private Certificate Authority" --country US --location Columbia --months 13 --org MyCompany --state Missouri --unit IT

Command-line options

usage: createclientcert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]] [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]] [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]                       [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]                       [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]

options:
  -h, --help
         show this help message and exit
  --altName [ALTNAME ...]
         A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
         A filename to load Subject Alternative Names from. One entry per line. Will be ignored if --altName is present.
  --bits [BITS]
         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
         The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
         The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
         An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
         The base directory to store saved files in.
  --cipher [CIPHER]
         The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
         The Common Name is a string used to identify the certificate.
  --country [COUNTRY]
         A two-letter country designation.
  --email [EMAIL]
         An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
         The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
         The certificate organization location or city.
  --months [MONTHS]
         The certificate validity duration.
  --org [ORG]
         The certificate organization name.
  --outCertFile [OUTCERTFILE]
         The output certificate filename.
  --outKeyFile [OUTKEYFILE]
         The output key filename.
  --passphrase [PASSPHRASE]
         If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
         A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
         If true, the server/client key will sign the new certificate rather than a CA key. Defaults to False. Ignored when generating new CA key pairs.
  --serial [SERIAL]
         The serial number is an integer used to identify the certificate. When a certificate is revoked, this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
         If true, both the key and certificate will be saved in the certificate file. Defaults to False. Ignored when generating new CA key pairs.
  --state [STATE]
         The certificate organization state or province.
  --unit [UNIT]
         The certificate organization Unit or department.
  • Hostname can be found by running the hostname command on the server. Windows, Linux, and MacOS all have the same command.

  • The Subject Alternative Name list in a client certificate is sometimes used as an additional way to identify the client. This can provide flexibility for servers that may not use the Common Name to identify clients.

  • The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

  • Client certificates can be created but can only be implemented with the FairCom ISAM interface.

This script creates a server certificate and its private key to verify the authenticity of one server. Then, distribute the server certificate and its private key to the server for which it was created.

Important

Before running createservercert.py, create a CA certificate using createcacert.py .

A company's CA administrator typically creates a server certificate to verify the identity of a server used inside a company.

Easy

Run the Python script createservercert.py without command-line arguments, and it prompts you for the following required information:

  • Number of months until the server certificate expires

  • Hostname of the server

  • TCP/IP addresses or DNS names of the server

Welcome to FairCom Server TLS Key Pair Creator
  For help, run this program with the '-h' option.

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
  such as operating systems, browsers, and other software.
  Months [13]: __________

Enter the hostname of the server (this will be the name of the output files): __________

Enter a filename that contains IP addresses and DNS names, or press ENTER to be prompted for this information: __________

Enter one IP address or DNS name and press ENTER to enter another.  
  Pressing ENTER on an empty line will terminate address entry.
  Enter a new IP address or DNS name: __________
  Done collecting IP addresses and DNS names.

Enter an optional two-letter country code where your company is located: __________

Enter an optional state/province where your company is located: __________

Enter an optional city where your company is located: __________

Enter an optional department within your organization: __________

Enter an optional email address to associate with this certificate: __________

Loading the CA key from 'C:\examplefilepath'
Loading the CA certificate from 'C:\examplefilepath'

Press ENTER to proceed.
Press x, to exit without any changes.

Successfully created and saved 1 of 1 files:

The output files listed at the bottom will always show the absolute path to the files, even if relative paths were used throughout the program.

Advanced

Run the Python script createservercert.py with command-line parameters:

python createservercert.py --altName www.mycompany.com 2606:2800:220:1:248:1893:25c8:1946 93.184.216.34 10.0.0.5 127.0.0.1 localhost --altNameFile san.txt --bits 4096 --caCertFile ca.crt --caKeyFile ca.key --caKeyFilePass mYp@s$w0rd --certManagementFolder Certs --cipher sha256 --commonName "MyCompany Server 1" --country US --email support@MyCompany.com --location Columbia --months 13 --org "MyCompany Widgets" --outCertFile example.crt --outKeyFile example.key --passphrase mYp@s$w0rd --selfSigned False --serial 1234567890 --singleFile False --state Missouri --unit IT

Command-line options

Welcome to FairCom Server TLS Key Pair Creator
For help, run this program with the '-h' option.
usage: createservercert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]]
                           [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]]
                           [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]]
                           [--commonName [COMMONNAME]] [--country [COUNTRY]] [--email [EMAIL]]
                           [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]]
                           [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]]
                           [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]] [--selfSigned [SELFSIGNED]]
                           [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]

FairCom Server TLS Key Pair Creator

options:
  -h, --help            show this help message and exit
  --altName [ALTNAME ...]
                        A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
                        A filename to load Subject Alternative Names from. One entry per line. Will be ignored if
                        --altName is present.
  --bits [BITS]         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
                        The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
                        The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
                        An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA
                        key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
                        The base directory to store saved files in.
  --cipher [CIPHER]     The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
                        The Common Name is a string used to identify the certificate.
  --country [COUNTRY]   A two-letter country designation.
  --email [EMAIL]       An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
                        The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
                        The certificate organization location or city.
  --months [MONTHS]     The certificate validity duration.
  --org [ORG]           The certificate organization name.
  --outCertFile [OUTCERTFILE]
                        The output certificate filename.
  --outKeyFile [OUTKEYFILE]
                        The output key filename.
  --passphrase [PASSPHRASE]
                        If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
                        A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
                        If true, the server/client key will sign the new certificate rather than a CA key. Defaults to
                        False. Ignored when generating new CA key pairs.
  --serial [SERIAL]     The serial number is an integer used to identify the certificate. When a certificate is revoked,
                        this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
                        If true, both the key and certificate will be saved in the certificate file. Defaults to False.
                        Ignored when generating new CA key pairs.
  --state [STATE]       The certificate organization state or province.
  --unit [UNIT]         The certificate organization Unit or department.

--altNameFile method

As an alternative to the above examples, you may use --altNameFile to create a server certificate. First, create a text file containing the TCP/IP addresses and DNS names of the server that identify the server. Put each name on a separate line, such as the following example:

mydomain.com
www.mydomain.com
10.21.12.31
localhost
127.0.0.1

Then, specify that file location using the --altNameFile argument:

--altNameFile "C:/ExampleFilePath"

You may also skip creating the file and simply run your information directly in the command line using --altName. Put a space between each entry, such as the following example:

--altName "mydomain.com www.mydomain.com 10.21.12.31 localhost 127.0.0.1"
  • When creating server certificates, the SAN contains one or more addresses of the server and is used by clients to validate that the address they connected to has a certificate that is valid for that address — for example, if you connect your browser to www.example.com and the certificate that site returns is for www.badexample.com, your browser will know that the site and/or certificate should not be trusted. Because of this, the SAN is essential for a server, but less important for a CA key pair or a client key pair.

  • The common name used to be what a client used to validate the server's address against. Since the advent of multi-domain certificates, the server address is validated against the contents of the SAN.

  • If you have to support a client that cannot use the SAN to validate the server address, that client is likely running an old encryption engine and should be audited for security risks.

This script imports your internal CA certificate into the keystore on Windows, Linux, or MacOS. This allows a computer to trust the certificates you create with the CA certificate. Use administrator privileges to run this script locally on each computer. For Linux and MacOS, prepend the command with sudo.

Easy

Copy the CA certificate and the Python script importcert.py to a computer. Run the script without command-line arguments, and it will prompt you for the following information:

  • Location of the CA certificate

Welcome to FairCom's Certificate Import Utility
For help, run this program with the '-h' option.
Enter the location of an x509 CA certificate (or 'x' to exit): __________

Press ENTER to proceed.
Press x, to exit without any changes.

root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "FairCom Private Certificate Authority" added to store.
CertUtil: -addstore command completed successfully.

Press ENTER to exit

Advanced

Run the Python script importcert.py with the file path of your desired certificate as the command-line parameter:

python importcert.py C:\ExampleFilePath

Command-line options

Welcome to FairCom's Certificate Import Utility

This program optionally takes one parameter: the full path to the certificate file to import.
For example:
  python importcert.py /certificates/ca.crt

certinfo.py

Display information in a certificate file using the certinfo.py script in FairCom Certificate Manager

Displays certificate and private key information in a PEM file.

Easy

Run the Python script certinfo.py without command-line arguments, and it will prompt you for the following information:

Welcome to FairCom's Certificate Information Program

Enter the location of the file to inspect (or 'x' to exit): __________

If the file contains a password-protected RSA key, enter that password:__________

Key #: 1
  Modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85
  Private key bits: 4096

Certificate #: 2
  Modulus hash: 969db60634c9a482bd3e9095f210cd5a5df76c530f9b1ed1e5ef2a85
  Public key bits: 4096
  Subject:
    C: US
    CN: adamh-dt-2019
    L: Sandy
    O: FairCom
    ST: Utah
  Issuer:
    C: US
    CN: FairCom Private Certificate Authority
    L: Sandy
    O: FairCom
    ST: Utah
  Serial Number: 20231004152528002138000000001
  Valid From (UTC): 2023-09-05 16:11:47
  Valid Until (UTC): 2024-10-05 02:11:47
  Public key algorithm: sha256
  TLS Version.v3
  Extension information:
    Extension name: Subject Alternative Name
      Critical: False
      DNSName: MyPC
      DNSName: mypc.example.com
      IPAddress: 10.250.250.42
      IPAddress: 127.0.0.1
      DNSName: localhost
    Extension name: Basic Constraints
      Critical: True
      CA: False
    Extension name: Key Usage
      Critical: True
      Digital signature: True
      Key encipherment: True
    Extension name: Extended Key Usage
      Critical: True
      Extended key uses:
        Server auth

Press ENTER to exit

Advanced

Run the Python script certinfo.py with command-line parameters:

python certinfo.py --filePath "/certificates/myCertificate.pem"

Command-line options

usage: certinfo.py [-h]

Welcome to FairCom's Certificate Information Program

This program optionally takes one parameter: the full path to the certificate file to inspect. 
For example:
  python certinfo.py /certificates/myCertificate.pem
  • This script shows information about keys and certificates. Because it is common for multiple keys and certificates to be included inside a single file, this script attempts to find every block of cryptographic data, parse that block, and display information about it.

  • You can also use the OpenSSL CLI to inspect certificates:

    openssl x509 -noout -text -in ca.crt
    • The openSSL command displays additional information that you might find useful:

      • Version: 3 (0x2)

        This line shows that the certificate is TLS version 1.3.

      • Subject: C=US, ST=Missouri, L=Columbia, O=Example, OU=IT, CN=Example Private Certificate Authority

        This line shows the information you entered at the prompts.

      • Public Key Algorithm: rsaEncryption

        This line shows that the key was created using the RSA algorithm.

      • Public-Key: (4096 bit)

        This line shows that the key was created using 4096 bits of entropy.

      • X509v3 extensions:
                    X509v3 Basic Constraints: critical
                        CA:TRUE, pathlen:0
                    X509v3 Key Usage: critical
                        Certificate Sign, CRL Sign

        These lines show that the key pair was created to be a CA key pair and that the roles it is meant for are signing certificates and signing Certificate Revocation Lists (CRLs).

This script renews all certificates in a folder by creating new certificates that expire later. Then, distribute renewed certificates to servers and clients.

Example

Run the Python script renewcert.py without command-line arguments, and it will prompt you for the following information:

  • Number of months until the renewed certificates expire

Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.

The following directories contain certificates:
Certificates in 'downloads\Expires_On_2026-04-14' will be renewed.

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
  such as operating systems, browsers, and other software.
  Months [13]: _____

Press ENTER to proceed.
Press x, to exit without any changes.

Successfully created and saved 3 of 3 files:

The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

Command-line options

Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.
usage: renewcert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]]
                    [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]]
                    [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]
                    [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]]
                    [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]]
                    [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]
                    [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]]
                    [--unit [UNIT]]

FairCom's Certificate Renewal Program

options:
  -h, --help            show this help message and exit
  --altName [ALTNAME ...]
                        A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
                        A filename to load Subject Alternative Names from. One entry per line. Will be ignored if
                        --altName is present.
  --bits [BITS]         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
                        The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
                        The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
                        An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA
                        key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
                        The base directory to store saved files in.
  --cipher [CIPHER]     The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
                        The Common Name is a string used to identify the certificate.
  --country [COUNTRY]   A two-letter country designation.
  --email [EMAIL]       An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
                        The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
                        The certificate organization location or city.
  --months [MONTHS]     The certificate validity duration.
  --org [ORG]           The certificate organization name.
  --outCertFile [OUTCERTFILE]
                        The output certificate filename.
  --outKeyFile [OUTKEYFILE]
                        The output key filename.
  --passphrase [PASSPHRASE]
                        If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
                        A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
                        If true, the server/client key will sign the new certificate rather than a CA key. Defaults to
                        False. Ignored when generating new CA key pairs.
  --serial [SERIAL]     The serial number is an integer used to identify the certificate. When a certificate is revoked,
                        this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
                        If true, both the key and certificate will be saved in the certificate file. Defaults to False.
                        Ignored when generating new CA key pairs.
  --state [STATE]       The certificate organization state or province.
  --unit [UNIT]         The certificate organization Unit or department.
  • When running importcert.py, if only one directory contains certificates, that directory is automatically selected for renewal.

  • Certificates expire and must be renewed.

  • You must renew a certificate before expiration; otherwise, TLS communications will fail.

  • When this script renews a CA, server, or client certificate, it creates a new certificate with a new expiration date.

  • This script does not alter a certificate's private key or the original certificate.

  • After you renew a CA certificate, you must do the following:

    • Run importcert.py on client computers to register the new CA certificate.

    • Register the new CA certificate with client software so it can validate server certificates.

    • Generate new server certificates and private keys. Then distribute these files to the appropriate servers.

    • Generate new client certificates and private keys. Then distribute these files to the appropriate users and client software.