createservercert.py
Create a server certificate using the createservercert.py script in FairCom Certificate Manager
Create a server certificate using the createservercert.py script in FairCom certificate manager
This script creates a server certificate and its private key to verify the authenticity of one server. Then, distribute the server certificate and its private key to the server for which it was created.
Important
Before running createservercert.py, create a CA certificate using createcacert.py .
A company's CA administrator typically creates a server certificate to verify the identity of a server used inside a company.
Easy
Run the Python script createservercert.py without command-line arguments, and it prompts you for the following required information:
Number of months until the server certificate expires
Hostname of the server
TCP/IP addresses or DNS names of the server
Welcome to FairCom Server TLS Key Pair Creator For help, run this program with the '-h' option. Enter the number of months when the certificate will expire. When a certificate expires, communications using that certificate no longer work. Recommended expiration is 13 months to give time to renew each year. NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used, such as operating systems, browsers, and other software. Months [13]: __________ Enter the hostname of the server (this will be the name of the output files): __________ Enter a filename that contains IP addresses and DNS names, or press ENTER to be prompted for this information: __________ Enter one IP address or DNS name and press ENTER to enter another. Pressing ENTER on an empty line will terminate address entry. Enter a new IP address or DNS name: __________ Done collecting IP addresses and DNS names. Enter an optional two-letter country code where your company is located: __________ Enter an optional state/province where your company is located: __________ Enter an optional city where your company is located: __________ Enter an optional department within your organization: __________ Enter an optional email address to associate with this certificate: __________ Loading the CA key from 'C:\examplefilepath' Loading the CA certificate from 'C:\examplefilepath' Press ENTER to proceed. Press x, to exit without any changes. Successfully created and saved 1 of 1 files:
The output files listed at the bottom will always show the absolute path to the files, even if relative paths were used throughout the program.
Advanced
Run the Python script createservercert.py with command-line parameters:
python createservercert.py --altName www.mycompany.com 2606:2800:220:1:248:1893:25c8:1946 93.184.216.34 10.0.0.5 127.0.0.1 localhost --altNameFile san.txt --bits 4096 --caCertFile ca.crt --caKeyFile ca.key --caKeyFilePass mYp@s$w0rd --certManagementFolder Certs --cipher sha256 --commonName "MyCompany Server 1" --country US --email support@MyCompany.com --location Columbia --months 13 --org "MyCompany Widgets" --outCertFile example.crt --outKeyFile example.key --passphrase mYp@s$w0rd --selfSigned False --serial 1234567890 --singleFile False --state Missouri --unit IT
Command-line options
Welcome to FairCom Server TLS Key Pair Creator
For help, run this program with the '-h' option.
usage: createservercert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]]
[--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]]
[--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]]
[--commonName [COMMONNAME]] [--country [COUNTRY]] [--email [EMAIL]]
[--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]]
[--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]]
[--revokeSerialNumbers [REVOKESERIALNUMBERS ...]] [--selfSigned [SELFSIGNED]]
[--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]
FairCom Server TLS Key Pair Creator
options:
-h, --help show this help message and exit
--altName [ALTNAME ...]
A space delimited list of Subject Alternative Names.
--altNameFile [ALTNAMEFILE]
A filename to load Subject Alternative Names from. One entry per line. Will be ignored if
--altName is present.
--bits [BITS] The bit-depth to use when generating the private key. Defaults to 4096.
--caCertFile [CACERTFILE]
The CA certificate filename. Ignored when generating new CA key pairs.
--caKeyFile [CAKEYFILE]
The CA key filename. Ignored when generating new CA key pairs.
--caKeyFilePass [CAKEYFILEPASS]
An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA
key pairs.
--certManagementFolder [CERTMANAGEMENTFOLDER]
The base directory to store saved files in.
--cipher [CIPHER] The cipher to use for encryption and decryption. Defaults to sha256.
--commonName [COMMONNAME]
The Common Name is a string used to identify the certificate.
--country [COUNTRY] A two-letter country designation.
--email [EMAIL] An email address to associate with the output certificate.
--inputDirectory [INPUTDIRECTORY]
The directory containing certificates to renew. Used only by renewcert.py
--location [LOCATION]
The certificate organization location or city.
--months [MONTHS] The certificate validity duration.
--org [ORG] The certificate organization name.
--outCertFile [OUTCERTFILE]
The output certificate filename.
--outKeyFile [OUTKEYFILE]
The output key filename.
--passphrase [PASSPHRASE]
If provided, the new key will be encrypted using this passphrase.
--revokeSerialNumbers [REVOKESERIALNUMBERS ...]
A space delimited list of serial numbers to revoke. Used only by revokecert.py
--selfSigned [SELFSIGNED]
If true, the server/client key will sign the new certificate rather than a CA key. Defaults to
False. Ignored when generating new CA key pairs.
--serial [SERIAL] The serial number is an integer used to identify the certificate. When a certificate is revoked,
this number is how the revoked certificate is identified.
--singleFile [SINGLEFILE]
If true, both the key and certificate will be saved in the certificate file. Defaults to False.
Ignored when generating new CA key pairs.
--state [STATE] The certificate organization state or province.
--unit [UNIT] The certificate organization Unit or department.
--altNameFile method
As an alternative to the above examples, you may use --altNameFile to create a server certificate. First, create a text file containing the TCP/IP addresses and DNS names of the server that identify the server. Put each name on a separate line, such as the following example:
mydomain.com www.mydomain.com 10.21.12.31 localhost 127.0.0.1
Then, specify that file location using the --altNameFile argument:
--altNameFile "C:/ExampleFilePath"
You may also skip creating the file and simply run your information directly in the command line using --altName. Put a space between each entry, such as the following example:
--altName "mydomain.com www.mydomain.com 10.21.12.31 localhost 127.0.0.1"
When creating server certificates, the SAN contains one or more addresses of the server and is used by clients to validate that the address they connected to has a certificate that is valid for that address — for example, if you connect your browser to www.example.com and the certificate that site returns is for www.badexample.com, your browser will know that the site and/or certificate should not be trusted. Because of this, the SAN is essential for a server, but less important for a CA key pair or a client key pair.
The common name used to be what a client used to validate the server's address against. Since the advent of multi-domain certificates, the server address is validated against the contents of the SAN.
If you have to support a client that cannot use the SAN to validate the server address, that client is likely running an old encryption engine and should be audited for security risks.