Certificate Manager¶
The CertManager class handles signing and management of certificates using existing CAs.
Overview¶
The Certificate Manager is responsible for:
Signing server and client certificates
Listing all certificates
Retrieving certificate information
Deleting certificates
Initialization¶
from certica.cert_manager import CertManager
# Initialize with default base directory
cert_manager = CertManager()
# Or specify a custom base directory
cert_manager = CertManager(base_dir="/path/to/certificates")
Parameters:
base_dir(str, optional): Base directory for storing certificates. Default:"output"
Note
Certificates are automatically organized by CA: {base_dir}/certs/{ca_name}/{cert_name}/
Methods¶
sign_certificate¶
Sign a certificate using an existing CA.
result = cert_manager.sign_certificate(
ca_key="/path/to/ca.key.pem",
ca_cert="/path/to/ca.cert.pem",
ca_name="myca",
cert_name="web-server",
cert_type="server",
common_name="web-server.example.com",
dns_names=["web-server.example.com", "www.example.com"],
ip_addresses=["192.168.1.100"],
organization="My Company Inc.",
country="US",
state="California",
city="San Francisco",
validity_days=365,
key_size=2048
)
Parameters:
ca_key(str): Path to CA private key file (required)ca_cert(str): Path to CA certificate file (required)ca_name(str): Name of the CA (for directory organization) (required)cert_name(str): Name for the certificate (required)cert_type(str): Certificate type -"server"or"client". Default:"server"common_name(str): Common Name (CN) for the certificate. Defaults to cert_name if emptydns_names(List[str], optional): List of DNS names for Subject Alternative Namesip_addresses(List[str], optional): List of IP addresses for Subject Alternative Namesorganization(str, optional): Organization namecountry(str, optional): Country code. Default:"CN"state(str, optional): State/Province. Default:"Beijing"city(str, optional): City. Default:"Beijing"validity_days(int, optional): Validity period in days. Default:365key_size(int, optional): RSA key size in bits. Default:2048
Returns:
Dictionary containing:
- cert_name: Name of the certificate
- key: Path to the certificate private key file
- cert: Path to the certificate file
- type: Certificate type
- validity_days: Validity period
Raises:
Exception: For various errors (OpenSSL failures, permission issues, etc.)
Note
The common_name parameter is optional. If not provided, Certica will use:
1. First DNS name (if available)
2. First IP address (if available)
3. Certificate name (as fallback)
Warning
Always include all DNS names and IP addresses that will be used. Modern TLS checks Subject Alternative Names (SANs), not just the Common Name.
Example:
from certica.ca_manager import CAManager
from certica.cert_manager import CertManager
ca_manager = CAManager()
cert_manager = CertManager()
# Get CA information
ca_info = ca_manager.get_ca("myca")
if not ca_info:
print("CA not found!")
exit(1)
# Sign a server certificate
result = cert_manager.sign_certificate(
ca_key=ca_info["key"],
ca_cert=ca_info["cert"],
ca_name=ca_info["name"],
cert_name="web-server",
cert_type="server",
dns_names=["example.com", "www.example.com"],
ip_addresses=["127.0.0.1"],
validity_days=365
)
print(f"Certificate created: {result['cert']}")
list_certificates¶
List all signed certificates.
certs = cert_manager.list_certificates()
Returns:
List of dictionaries, each containing:
- name: Certificate name
- ca_name: Name of the CA that signed it
- key: Path to certificate private key
- cert: Path to certificate file
Example:
certs = cert_manager.list_certificates()
for cert in certs:
print(f"{cert['name']} (signed by {cert['ca_name']})")
get_certificate_info¶
Get detailed information about a certificate using OpenSSL.
info = cert_manager.get_certificate_info("/path/to/cert.pem")
Parameters:
cert_path(str): Path to the certificate file
Returns:
Dictionary containing:
- info: Detailed certificate information (OpenSSL text output)
Example:
cert_path = "output/certs/myca/web-server/cert.pem"
info = cert_manager.get_certificate_info(cert_path)
print(info["info"])
Note
This method uses OpenSSL’s x509 -text -noout command to display certificate details,
including validity dates, subject, issuer, SANs, and extensions.
delete_certificate¶
Delete a specific certificate.
success = cert_manager.delete_certificate("myca", "web-server")
Parameters:
ca_name(str): Name of the CA that signed the certificatecert_name(str): Name of the certificate to delete
Returns:
True if deletion was successful, False otherwise.
Example:
if cert_manager.delete_certificate("myca", "web-server"):
print("Certificate deleted")
else:
print("Certificate not found or deletion failed")
Certificate Manager - Handles certificate signing operations
- class certica.cert_manager.CertManager(base_dir='output')[source]¶
Bases:
objectManages certificate signing operations
- sign_certificate(ca_key, ca_cert, ca_name, cert_name, cert_type='server', common_name='', dns_names=None, ip_addresses=None, organization='', country='CN', state='Beijing', city='Beijing', validity_days=365, key_size=2048)[source]¶
Sign a certificate using the specified CA
- Parameters:
ca_key (str) – Path to CA private key
ca_cert (str) – Path to CA certificate
ca_name (str) – Name of the CA (for directory organization)
cert_name (str) – Name for the certificate
cert_type (str) – “server” or “client”
common_name (str) – Common name for the certificate
organization (str) – Organization name
country (str) – Country code
state (str) – State/Province
city (str) – City
validity_days (int) – Certificate validity in days
key_size (int) – Key size in bits
- Returns:
Dict with paths to generated files
- Return type: