Skip to content
This repository has been archived by the owner on Jun 6, 2022. It is now read-only.


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Certificate Magic!

Certificate Magic! helps make it easy create and install certificates.

To set up a new certificate in AWS perform the following steps

  1. run the create command to generate a CSR and encrypted private key

  2. (IRL) get the certificate issued using your provider

  3. run the install command with the certificate you get back from (2.)

  4. (IRL) set up the certificate for your application and test it is working

  5. run tidy to delete the temporary files

Installing Certificate Magic!

You can then run Certificate Magic! directly using java -jar <path to>/cert-magic.jar <args> but it’s usually simpler to create an executable script you can use directly.

To create a script to run the jar, create a file at ~/bin/cert-magic with the following contents. Be sure to replace $(dirname $0)/cert-magic.jar with the path to your downloaded cert-magic.jar, unless you put the jar in the same folder as the script.

java -jar $(dirname $0)/cert-magic.jar "$@"

Make the script executable:

chmod u+x ~/bin/cert-magic

(Make sure your bin directory is on your path)


Create a new CSR for your domain, using your configured AWS profile

cert-magic create -d -p my-aws-profile

Create a CSR for a wildcard domain, specifying the region

cert-magic create -d * -p my-profile -r eu-west-1

Install a certificate into AWS

cert-magic install --certificate <path to cert> --chain <path to chain/bundle> -p aws-profile

Install a certificate into a second (different) AWS account

cert-magic install --certificate <path to cert> --chain <path to chain/bundle> -p aws-profile --installProfile different-aws-profile

Delete the files associated with a domain (to clear up after installation)

cert-magic tidy -d

Checking certificates

Once a certificate has been installed, check it using the SSL Labs server test, making sure 'Do not show the results on the boards' is checked.

Anything less than an 'A' grade is worth investigating.


Here is a little more detail on each command


This creates a keypair and certificate signing request for the given domain. The private key is encrypted using AWS KMS and stored under ~/.certmagic in your home directory. The CSR is displayed (and also saved to a file) so that you can send the CSR to a CA for signing.


When you get your certificate back, use the install mode to validate and upload your certificate into IAM. The private key will be decrypted appropriately and installed alongside the certificate and certificate chain.

If you are uploading the same certificate to multiple AWS accounts you’ll need to use the optional installProfile flag. This allows you to specify a profile to use for the certificate installation. You’ll still need to provide the same profile you used to create the certificate so that the private key can be correctly decrypted. In this way you can install the certificate in multiple accounts by running the command with different install profiles provided.


List the private keys and CSRs that are outstanding.


Deletes the files associated with a domain to remove any access to the private key. This should be done after a domain is installed and has been tested.


A small scala app that creates and installs certificates in AWS IAM


Code of conduct





No packages published