certctl

A powerful CLI tool for managing SSL certificates — generate CSRs and deploy certificates to remote servers via SSH.

Features

• Interactive and non-interactive CSR generation
• SSH-based certificate deployment with automatic backup
• Multi-platform support (macOS, Linux, Windows)
• Domain common name management
• Web server config validation and auto-reload (httpd, nginx, apache2)
• First-run setup wizard for organization details

Installation

npm install -g certctl

Quick Start

# Generate a new CSR (interactive)
certctl new

# Deploy certificate to remote server (interactive)
certctl deploy

# Manage domains
certctl domain list
certctl domain add example.com

# View configuration
certctl config show

Usage

certctl new

Generate a new Certificate Signing Request (CSR) and private key.

# Interactive mode — select domain and enter email
certctl new

# Non-interactive mode
certctl new --cn example.com --email admin@example.com --no-interactive

# With custom organization details
certctl new --cn example.com --email admin@example.com \
  --country US --state California --locality "San Francisco" \
  --org "My Corp" --ou "Engineering" --no-interactive

# Custom output directory and key size
certctl new --cn example.com --email admin@example.com \
  --output /path/to/certs --key-size 4096 --no-interactive

Flags:

Flag	Short	Description
--cn	-c	Common Name (CN) for the certificate
--email	-e	Email address for the certificate
--country		Country code (C), read from config
--state		State or Province (ST), read from config
--locality		Locality or City (L), read from config
--org	-o	Organization (O), read from config
--ou		Organizational Unit (OU), read from config
--output	-d	Output directory (default: ~/.config/openssl/)
--key-size		RSA key size in bits (default: 2048)
--no-interactive		Run in non-interactive mode

Organization details (--country, --state, etc.) are read from your config file by default. Run certctl config show to check current values, or certctl config reset to re-run the setup wizard.

certctl deploy

Deploy SSL certificates to a remote server via SSH.

# Interactive mode — select host and domain from lists
certctl deploy

# Specify host and domain
certctl deploy --host myserver --domain example.com

# Deploy to nginx server
certctl deploy --host myserver --domain example.com --server nginx

# Custom remote certificate paths
certctl deploy --host myserver --domain example.com \
  --ca-path /etc/nginx/ssl/ca.crt \
  --crt-path /etc/nginx/ssl/cert.crt \
  --key-path /etc/nginx/ssl/key.key

# Skip validation and reload
certctl deploy --host myserver --domain example.com \
  --skip-validate --skip-reload

Flags:

Flag	Short	Description
--host	-H	SSH host name from SSH config
--domain	-d	Domain name for the certificate
--server	-s	Web server type: httpd, nginx, apache2 (default: httpd)
--ssh-config		Path to SSH config file (default: ~/.ssh/config)
--cert-dir		Local certificate directory (default: ~/.config/openssl/<domain>/)
--ca-path		Custom remote CA file path
--crt-path		Custom remote certificate file path
--key-path		Custom remote key file path
--skip-validate		Skip web server config validation
--skip-reload		Skip service reload after deployment

Deployment process:

1. Read SSH config and connect to server
2. Backup existing certificates (.backup)
3. Upload CA, certificate, and key files
4. Set file permissions (644 for certs, 600 for keys)
5. Validate web server configuration
6. Reload web server to apply new certificates

certctl domain

Manage domain common names.

certctl domain list              # List all domains with file status
certctl domain add example.com   # Add a new domain
certctl domain remove example.com # Remove a domain
certctl domain search example    # Search domains by keyword

certctl config

Manage configuration settings.

certctl config show   # Show current configuration
certctl config edit   # Edit configuration interactively
certctl config reset  # Reset and re-run setup wizard

Certificate File Format

Generated files are stored in ~/.config/openssl/<domain>/:

~/.config/openssl/example.com/
├── key.pem          # Private key
├── example.com.csr  # Certificate Signing Request
├── cert.pem         # Certificate (placeholder, replace with CA-signed cert)
└── ca.pem           # CA certificate (placeholder)

Workflow:

1. Run certctl new to generate CSR and private key
2. Submit the .csr file to your Certificate Authority (CA)
3. Place the signed certificate in cert.pem and CA chain in ca.pem
4. Run certctl deploy to upload to your server

SSH Configuration

The deploy command reads hosts from ~/.ssh/config:

Host myserver
    HostName 192.168.1.100
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa

Supported Web Servers

Server	Config validation	Reload command
httpd (Apache)	httpd -t	systemctl reload httpd
nginx	nginx -t	systemctl reload nginx
apache2	apache2ctl -t	systemctl reload apache2

Migration from make-csr-cli v2.x

Before (v2.x)	After (v3.0)
make-csr generate	certctl new
make-csr deploy	certctl deploy
make-csr list	certctl domain list
make-csr list --add "example.com"	certctl domain add example.com
make-csr list --remove "example.com"	certctl domain remove example.com
make-csr list --search "example"	certctl domain search example
make-csr config --show	certctl config show
make-csr config --edit	certctl config edit
make-csr config --reset	certctl config reset
Files: domain.key, domain.crt, domain.ca	Files: key.pem, cert.pem, ca.pem

Legacy file format is still supported for deployment with a migration warning.

License

MIT