Skip to main content

createservercert.py

Create a server certificate using the createservercert.py script in FairCom Certificate Manager

Abstract

Create a server certificate using the createservercert.py script in FairCom certificate manager

This script creates a server certificate and its private key to verify the authenticity of one server. After running this script, distribute the server certificate and its private key to the server for which it was created.

Important

Before running createservercert.py, create a CA certificate using createcacert.py .

A company's CA administrator typically creates a server certificate to verify the identity of a server used inside a company.

Easy

Run the Python script createservercert.py without command-line arguments, and it prompts you for the following required information:

  • Hostname of the server.  Provide a name that will help you remember which computer/server this certificate file is for. This does not need to match the machine's actual hostname, which is stored in the machine's OS.

  • Number of months until the server certificate expires.

  • TCP/IP addresses and/or DNS names of the server this certificate is for.  Since these are used by clients and web browsers to validate the server machine they are connecting to, these need to be correct for this server.  The hostname can be found by running the "hostname" command on the server (Windows, Linux, and MacOS).

  • Optional information about your company.  Some of this might be filled in automatically from the information you entered during previous runs of these 'certificate manager' scripts.

Note

This is a summary of what is displayed. It does not show everything that is displayed.

Welcome to FairCom Server TLS Key Pair Creator
For help, run this program with the '-h' option.

Enter the hostname of the server (this will used as part of the file names): __________

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
    such as operating systems, browsers, and other software.
Months [13]: __________
Enter a filename that contains IP addresses and DNS names, or press ENTER to be prompted for this information: __________
Enter one IP address or DNS name and press ENTER to enter another.  Pressing ENTER on an empty line will terminate address entry.
  Enter a new IP address or DNS name: __________
  Enter a new IP address or DNS name: __________
Done collecting IP addresses and DNS names.
Enter an optional two-letter country code where your company is located: __________
Enter an optional state/province where your company is located: __________
Enter an optional city where your company is located: __________
Enter an optional department within your organization: __________
Enter an optional email address to associate with this certificate: __________
Loading the CA key from 'Certs\_ca_key\ca.key'
Loading the CA certificate from 'Certs\Expires_On_date\ca.crt'

Press ENTER to proceed.
Press x, to exit without any changes.

Successfully created and saved 1 of 1 files:

Note

This is a summary of what is printed. It does not show everything that is printed.

The output files listed at the bottom will always show the absolute path to the files, even if relative paths were used throughout the program.

The "Expires_On_ . . . .\______Server.pem" file holds the private key and the public certificate for the specified server.  This file should be placed on that server's hard drive and not be shared.

Advanced

Run the Python script createservercert.py with command-line parameters:

python createservercert.py --altName www.mycompany.com 2606:2800:220:1:248:1893:25c8:1946 93.184.216.34 10.0.0.5 127.0.0.1 localhost --altNameFile san.txt --bits 4096 --caCertFile ca.crt --caKeyFile ca.key --caKeyFilePass mYp@s$w0rd --certManagementFolder Certs --cipher sha256 --commonName "MyCompany Server 1" --country US --email support@MyCompany.com --location Columbia --months 13 --org "MyCompany Widgets" --outCertFile example.crt --outKeyFile example.key --passphrase mYp@s$w0rd --selfSigned False --serial 1234567890 --singleFile False --state Missouri --unit IT

Command-line options

Welcome to FairCom Server TLS Key Pair Creator
For help, run this program with the '-h' option.
usage: createservercert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]]
                           [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]]
                           [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]]
                           [--commonName [COMMONNAME]] [--country [COUNTRY]] [--email [EMAIL]]
                           [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]] [--months [MONTHS]] [--org [ORG]]
                           [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]] [--passphrase [PASSPHRASE]]
                           [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]] [--selfSigned [SELFSIGNED]]
                           [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]] [--unit [UNIT]]

FairCom Server TLS Key Pair Creator

options:
  -h, --help            show this help message and exit
  --altName [ALTNAME ...]
                        A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
                        A filename to load Subject Alternative Names from. One entry per line. Will be ignored if
                        --altName is present.
  --bits [BITS]         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
                        The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
                        The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
                        An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA
                        key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
                        The base directory to store saved files in.
  --cipher [CIPHER]     The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
                        The Common Name is a string used to identify the certificate.
  --country [COUNTRY]   A two-letter country designation.
  --email [EMAIL]       An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
                        The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
                        The certificate organization location or city.
  --months [MONTHS]     The certificate validity duration.
  --org [ORG]           The certificate organization name.
  --outCertFile [OUTCERTFILE]
                        The output certificate filename.
  --outKeyFile [OUTKEYFILE]
                        The output key filename.
  --passphrase [PASSPHRASE]
                        If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
                        A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
                        If true, the server/client key will sign the new certificate rather than a CA key. Defaults to
                        False. Ignored when generating new CA key pairs.
  --serial [SERIAL]     The serial number is an integer used to identify the certificate. When a certificate is revoked,
                        this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
                        If true, both the key and certificate will be saved in the certificate file. Defaults to False.
                        Ignored when generating new CA key pairs.
  --state [STATE]       The certificate organization state or province.
  --unit [UNIT]         The certificate organization Unit or department.

--altNameFile method

As an alternative to the above examples, you may use --altNameFile to create a server certificate. First, create a text file containing the TCP/IP addresses and DNS names of the server that identify the server. Put each name on a separate line, such as the following example:

mydomain.com
www.mydomain.com
10.21.12.31
localhost
127.0.0.1

Then, specify that file location using the --altNameFile argument:

--altNameFile "C:/ExampleFilePath"

You may also skip creating the file and simply run your information directly in the command line using --altName. Put a space between each entry, such as the following example:

--altName "mydomain.com www.mydomain.com 10.21.12.31 localhost 127.0.0.1"
  • Hostname can be found by running the hostname command on the server. Windows, Linux, and MacOS all have the same command.

  • When creating server certificates, the Subject Alternative Name (SAN) field contains one or more addresses and/or domain names of the server and is used by clients to validate that the address they connected to has a certificate that is valid for that address. For example, if you connect your browser to www.example.com and the certificate that site returns is for www.badexample.com, your browser will know that the site and/or certificate should not be trusted. Because of this, the SAN is essential for a server, but less important for a CA key pair or a client key pair.

  • The common name used to be what a client used to validate the server's address against. Since the advent of multi-domain certificates, the server address is validated against the contents of the SAN.

  • If you have to support a client that cannot use the SAN to validate the server address, that client is likely running an old encryption engine and should be audited for security risks.