certpilot

A powerful CLI tool for managing SSL certificates — generate CSRs and deploy certificates to remote servers via SSH.

Features

• Interactive and non-interactive CSR generation
• SSH-based certificate deployment with automatic backup
• Multi-platform support (macOS, Linux, Windows)
• Domain common name management
• Web server config validation and auto-reload (httpd, nginx, apache2)
• First-run setup wizard for organization details

Installation

npm install -g certpilot

Quick Start

# Generate a new CSR (interactive)
certpilot new

# Deploy certificate to remote server (interactive)
certpilot deploy

# Manage domains
certpilot domain list
certpilot domain add example.com

# View configuration
certpilot config show

Usage

certpilot new

Generate a new Certificate Signing Request (CSR) and private key.

# Interactive mode — select domain and enter email
certpilot new

# Non-interactive mode
certpilot new --cn example.com --email admin@example.com --no-interactive

# With custom organization details
certpilot new --cn example.com --email admin@example.com \
  --country US --state California --locality "San Francisco" \
  --org "My Corp" --ou "Engineering" --no-interactive

# Custom output directory and key size
certpilot new --cn example.com --email admin@example.com \
  --output /path/to/certs --key-size 4096 --no-interactive

Flags:

Flag	Short	Description
--cn	-c	Common Name (CN) for the certificate
--email	-e	Email address for the certificate
--country		Country code (C), read from config
--state		State or Province (ST), read from config
--locality		Locality or City (L), read from config
--org	-o	Organization (O), read from config
--ou		Organizational Unit (OU), read from config
--output	-d	Output directory (default: ~/.config/openssl/)
--key-size		RSA key size in bits (default: 2048)
--no-interactive		Run in non-interactive mode

Organization details (--country, --state, etc.) are read from your config file by default. Run certpilot config show to check current values, or certpilot config reset to re-run the setup wizard.

certpilot deploy

Deploy SSL certificates to a remote server via SSH.

# Interactive mode — select host and domain from lists
certpilot deploy

# Specify host and domain
certpilot deploy --host myserver --domain example.com

# Deploy to nginx server
certpilot deploy --host myserver --domain example.com --server nginx

# Custom remote certificate paths
certpilot deploy --host myserver --domain example.com \
  --ca-path /etc/nginx/ssl/ca.crt \
  --crt-path /etc/nginx/ssl/cert.crt \
  --key-path /etc/nginx/ssl/key.key

# Skip validation and reload
certpilot deploy --host myserver --domain example.com \
  --skip-validate --skip-reload

Flags:

Flag	Short	Description
--host	-H	SSH host name from SSH config
--domain	-d	Domain name for the certificate
--server	-s	Web server type: httpd, nginx, apache2 (default: httpd)
--ssh-config		Path to SSH config file (default: ~/.ssh/config)
--cert-dir		Local certificate directory (default: ~/.config/openssl/<domain>/)
--ca-path		Custom remote CA file path
--crt-path		Custom remote certificate file path
--key-path		Custom remote key file path
--skip-validate		Skip web server config validation
--skip-reload		Skip service reload after deployment

Deployment process:

1. Read SSH config and connect to server
2. Backup existing certificates (.backup)
3. Upload CA, certificate, and key files
4. Set file permissions (644 for certs, 600 for keys)
5. Validate web server configuration
6. Reload web server to apply new certificates

certpilot domain

Manage domain common names.

certpilot domain list              # List all domains with file status
certpilot domain add example.com   # Add a new domain
certpilot domain remove example.com # Remove a domain
certpilot domain search example    # Search domains by keyword

certpilot config

Manage configuration settings.

certpilot config show   # Show current configuration
certpilot config edit   # Edit configuration interactively
certpilot config reset  # Reset and re-run setup wizard

Certificate File Format

Generated files are stored in ~/.config/openssl/<domain>/:

~/.config/openssl/example.com/
├── key.pem          # Private key
├── example.com.csr  # Certificate Signing Request
├── cert.pem         # Certificate (placeholder, replace with CA-signed cert)
└── ca.pem           # CA certificate (placeholder)

Workflow:

1. Run certpilot new to generate CSR and private key
2. Submit the .csr file to your Certificate Authority (CA)
3. Place the signed certificate in cert.pem and CA chain in ca.pem
4. Run certpilot deploy to upload to your server

SSH Configuration

The deploy command reads hosts from ~/.ssh/config:

Host myserver
    HostName 192.168.1.100
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa

Supported Web Servers

Server	Config validation	Reload command
httpd (Apache)	httpd -t	systemctl reload httpd
nginx	nginx -t	systemctl reload nginx
apache2	apache2ctl -t	systemctl reload apache2

Migration from make-csr-cli v2.x

Before (v2.x)	After (v3.0)
make-csr generate	certpilot new
make-csr deploy	certpilot deploy
make-csr list	certpilot domain list
make-csr list --add "example.com"	certpilot domain add example.com
make-csr list --remove "example.com"	certpilot domain remove example.com
make-csr list --search "example"	certpilot domain search example
make-csr config --show	certpilot config show
make-csr config --edit	certpilot config edit
make-csr config --reset	certpilot config reset
Files: domain.key, domain.crt, domain.ca	Files: key.pem, cert.pem, ca.pem

Legacy file format is still supported for deployment with a migration warning.

License

MIT