{"id":30068604,"url":"https://github.com/friedjof/sslmanager","last_synced_at":"2025-10-03T14:29:15.899Z","repository":{"id":305859238,"uuid":"1024120023","full_name":"Friedjof/SSLManager","owner":"Friedjof","description":"A comprehensive Python-based SSL certificate management tool that creates a private Certificate Authority (CA) and issues SSL certificates for multiple domains.","archived":false,"fork":false,"pushed_at":"2025-07-22T09:51:25.000Z","size":34,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-22T11:42:08.470Z","etag":null,"topics":["certificates","diy","homelab","python","script","ssl"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Friedjof.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-22T08:04:39.000Z","updated_at":"2025-07-22T10:10:26.000Z","dependencies_parsed_at":"2025-07-22T11:42:10.275Z","dependency_job_id":"5567d193-fb01-40ee-b8f7-5025f98b38f0","html_url":"https://github.com/Friedjof/SSLManager","commit_stats":null,"previous_names":["friedjof/sslmanager"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Friedjof/SSLManager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Friedjof%2FSSLManager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Friedjof%2FSSLManager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Friedjof%2FSSLManager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Friedjof%2FSSLManager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Friedjof","download_url":"https://codeload.github.com/Friedjof/SSLManager/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Friedjof%2FSSLManager/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269410047,"owners_count":24412147,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-08T02:00:09.200Z","response_time":72,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificates","diy","homelab","python","script","ssl"],"created_at":"2025-08-08T10:45:56.617Z","updated_at":"2025-10-03T14:29:10.864Z","avatar_url":"https://github.com/Friedjof.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SSL Certificate Manager\n\nA comprehensive Python-based SSL certificate management tool that creates a private Certificate Authority (CA) and issues SSL certificates for multiple domains.\n\n## Features\n\n🔐 **Private CA Management**\n- Create and manage your own Certificate Authority\n- Password-protected CA private keys\n- CA information display and validation\n\n📋 **Multi-Domain Certificates**\n- Support for multiple domains in a single certificate\n- Wildcard domain support (*.example.com)\n- Automatic SAN (Subject Alternative Names) configuration\n- Support for local domains (.lan, .local) with IP addresses\n\n🏗️ **Service-Based Organization**\n- Organize certificates by service name\n- Yearly directory structure for easy management\n- Configuration persistence and reuse\n- Service-specific domain management\n\n⚡ **Command Line Interface**\n- Interactive mode for guided certificate creation\n- Direct command execution for automation\n- Comprehensive certificate status overview\n- Certificate renewal and revocation support\n\n## Installation\n\n1. Clone the repository:\n```bash\ngit clone \u003crepository-url\u003e\ncd ssl-certificate-manager\n```\n\n2. Ensure OpenSSL is installed on your system:\n```bash\n# Ubuntu/Debian\nsudo apt install openssl\n\n# CentOS/RHEL\nsudo yum install openssl\n\n# macOS\nbrew install openssl\n```\n\n3. The tool will automatically set up configuration on first run. You can optionally create a template:\n```bash\ncp config.json.example config.json\n```\n\nOr let the interactive setup wizard guide you through configuration. The wizard will use `config.json.example` as defaults if available.\n```json\n{\n  \"ca\": {\n    \"country\": \"US\",\n    \"state\": \"California\", \n    \"city\": \"San Francisco\",\n    \"organization\": \"Your Organization\",\n    \"organizationalUnit\": \"IT Department\",\n    \"email\": \"admin@example.com\",\n    \"commonName\": \"Your Root CA\"\n  },\n  \"defaults\": {\n    \"keySize\": 2048,\n    \"validityDays\": 365,\n    \"country\": \"US\",\n    \"state\": \"California\",\n    \"city\": \"San Francisco\", \n    \"organization\": \"Your Organization\",\n    \"organizationalUnit\": \"IT Department\",\n    \"email\": \"ssl@example.com\",\n    \"localTLDs\": [\"lan\", \"local\", \"fkn\", \"internal\"]\n  }\n}\n```\n\n## Usage\n\n### First-Time Setup\nWhen you run the tool for the first time, it will automatically start the setup wizard:\n\n```bash\npython sslmanager.py\n```\n\nThe setup wizard will guide you through:\n- **Organization Details**: Your name/company, location, contact info\n- **CA Configuration**: Certificate Authority naming and setup\n- **Local Network Domains**: Configure TLDs for domain suggestions (e.g., .lan, .local, .fkn)\n- **Certificate Settings**: Key sizes, validity periods, and defaults\n\nThe wizard will:\n- Use `config.json.example` as template if available\n- Suggest realistic values based on your input\n- Provide multiple choice options for common settings\n- Show a summary before saving\n\n### Interactive Mode\nAfter setup, running without arguments starts interactive certificate creation:\n```bash\npython sslmanager.py\n```\n\n### Command Line Options\n\n#### Certificate Management\n```bash\n# Create new certificate for a service\npython sslmanager.py --new proxy\n\n# List all certificates with expiration dates\npython sslmanager.py --list\npython sslmanager.py -l\n\n# Show detailed service information\npython sslmanager.py --info proxy\n\n# Renew a certificate\npython sslmanager.py --renew proxy\n\n# Delete a service and all certificates\npython sslmanager.py --delete proxy\n```\n\n#### Certificate Revocation\n```bash\n# Revoke a certificate\npython sslmanager.py --revoke proxy\n\n# Show Certificate Revocation List\npython sslmanager.py --crl\n```\n\n#### CA Management\n```bash\n# Show CA information (including expiration status)\npython sslmanager.py --ca-info\n\n# Renew CA certificate (archives old one)\npython sslmanager.py --ca-renew\n\n# Show help\npython sslmanager.py --help\n```\n\n## Directory Structure\n\n```\nssl-certificate-manager/\n├── sslmanager.py                  # Main entry point\n├── src/                    # Source code modules\n│   ├── __init__.py\n│   ├── config_manager.py   # Configuration management\n│   ├── certificate_authority.py  # CA operations\n│   ├── certificate_manager.py    # Certificate operations\n│   ├── service_manager.py  # Service operations\n│   ├── revocation_manager.py     # Certificate revocation\n│   └── backup_manager.py   # Backup and restore\n├── config.json            # Global configuration\n├── root-ca.crt            # CA certificate\n├── root-ca.key            # CA private key\n├── revoked_serials.txt    # Revoked certificate serials\n├── archive/                # Archived CA certificates\n│   └── ca_YYYYMMDD_HHMMSS/ # Timestamped CA backups\n│       ├── root-ca.crt     # Archived CA certificate\n│       ├── root-ca.key     # Archived CA private key\n│       └── root-ca.srl     # Archived serial file\n└── \u003cservice-name\u003e/        # Service directories\n    ├── config.json        # Service-specific config\n    └── \u003cyear\u003e/           # Yearly certificate storage\n        ├── cert.crt      # Server certificate\n        ├── cert.key      # Server private key\n        └── cert.pem      # Combined certificate chain\n```\n\n## Domain Configuration\n\nWhen creating certificates, you can specify domains in several ways:\n\n### Using Suggestions\nThe tool suggests common patterns based on your service name and configured local TLDs (configurable in global config.json):\n- `service.lan` \n- `*.service.lan`\n- `service.local`\n- `*.service.local`\n- etc. (based on your localTLDs configuration)\n\n### Multiple Domain Input\nYou can specify multiple domains using comma-separated values:\n```\n# Mix of suggestions and custom domains\n1, 3, custom.lan, *.custom.fkn\n\n# Numbers refer to suggestion list\n1, 2, 4\n\n# Only custom domains  \nexample.com, *.example.com, api.example.com\n```\n\n## Certificate Status\n\nThe tool provides clear status indicators for both service certificates and CA:\n\n**Service Certificates:**\n- ✅ **VALID**: Certificate is currently valid\n- ⚠️ **EXPIRES SOON**: Certificate expires within 30 days\n- ❌ **EXPIRED**: Certificate has expired\n\n**CA Certificate:**\n- ✅ **VALID**: CA certificate is currently valid (with days remaining)\n- ⚠️ **EXPIRES SOON**: CA certificate expires within 30 days\n- ❌ **EXPIRED**: CA certificate has expired\n\n## Security Features\n\n- Password-protected CA private keys\n- Separate service configurations\n- Certificate revocation support\n- Strong default key sizes (2048-bit minimum)\n- Automatic SAN extension generation\n\n## ⚠️ Security Notice - Home Use Only\n\n**This tool is designed for home and internal network use only.** It is NOT intended for production environments or public-facing services.\n\n### 🔒 Critical Security Requirements\n\n**Protect Your SSL Directory:**\n- The SSL manager directory contains sensitive cryptographic material\n- **CA private keys** can issue certificates for any domain\n- **Service certificates** provide access to your internal services\n- **Backup files** contain encrypted copies of all certificates\n\n### 🛡️ Recommended Security Measures\n\n**File System Security:**\n```bash\n# Set restrictive permissions on the SSL directory\nchmod 700 /path/to/ssl-certificate-manager\nchmod 600 /path/to/ssl-certificate-manager/root-ca.key\nchmod 600 /path/to/ssl-certificate-manager/config.json\n```\n\n**Access Control:**\n- Keep this directory on an encrypted disk/partition\n- Limit access to authorized users only\n- Consider using a dedicated user account for SSL operations\n- Regular backup to encrypted external storage\n\n**Network Security:**\n- Use only on trusted internal networks\n- Never expose CA operations to public networks\n- Keep CA private keys offline when possible\n- Use strong, unique passwords for CA and backups\n\n### 🏠 Home Network Best Practices\n\n**Internal Use Only:**\n- Perfect for home labs, development environments\n- Ideal for internal services (NAS, routers, IoT devices)\n- Great for learning SSL/TLS concepts safely\n\n**NOT for Production:**\n- Do not use for public websites\n- Do not use for commercial services  \n- Do not use for critical infrastructure\n- Consider commercial CA for production needs\n\n### 💾 Backup Security\n\n**Encrypted Backups:**\n- All backups are encrypted with strong passwords\n- Store backup files securely (encrypted storage)\n- Test restore procedures regularly\n- Keep backups offline when possible\n\n**Password Management:**\n- Use strong, unique passwords for CA operations\n- Consider using a password manager\n- Document recovery procedures securely\n- Never store passwords in plain text\n\n## Examples\n\n### Create a certificate for a web service\n```bash\npython sslmanager.py --new webserver\n# Follow prompts to select domains like webserver.lan, *.webserver.lan\n```\n\n### Check all certificate statuses\n```bash\npython sslmanager.py -l\n```\n\n### Renew an expiring certificate\n```bash\npython sslmanager.py --renew webserver\n```\n\n### Check CA certificate status and renew if needed\n```bash\npython sslmanager.py --ca-info   # Check CA expiration\npython sslmanager.py --ca-renew  # Renew CA (archives old one)\n```\n\n### Revoke a compromised certificate\n```bash\npython sslmanager.py --revoke webserver\npython sslmanager.py --crl  # View revoked certificates\n```\n\n## Certificate Installation\n\n### Installing CA Certificate\n\nTo avoid SSL warnings, you need to install the CA certificate (`root-ca.crt`) as a trusted certificate authority.\n\n#### Browser Installation\n\n**Chrome/Chromium:**\n1. Go to Settings → Privacy and security → Security → Manage certificates\n2. Click \"Authorities\" tab\n3. Click \"Import\" and select `root-ca.crt`\n4. Check \"Trust this certificate for identifying websites\"\n\n**Firefox:**\n1. Go to Settings → Privacy \u0026 Security → Certificates → View Certificates\n2. Click \"Authorities\" tab → \"Import\"\n3. Select `root-ca.crt`\n4. Check \"Trust this CA to identify websites\"\n\n**Safari (macOS):**\n1. Double-click `root-ca.crt` to open Keychain Access\n2. Select \"System\" keychain\n3. Right-click the certificate → Get Info\n4. Expand \"Trust\" → Set \"When using this certificate\" to \"Always Trust\"\n\n#### System Installation\n\n**Linux (Ubuntu/Debian):**\n```bash\n# Copy CA certificate\nsudo cp root-ca.crt /usr/local/share/ca-certificates/\nsudo update-ca-certificates\n\n# For applications using ca-certificates\nsudo cp root-ca.crt /etc/ssl/certs/\nsudo c_rehash /etc/ssl/certs/\n```\n\n**Linux (CentOS/RHEL):**\n```bash\nsudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/\nsudo update-ca-trust\n```\n\n**macOS:**\n```bash\n# Add to system keychain\nsudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain root-ca.crt\n```\n\n**Windows:**\n1. Double-click `root-ca.crt`\n2. Click \"Install Certificate...\"\n3. Select \"Local Machine\" → Next\n4. Select \"Place all certificates in the following store\" → Browse\n5. Select \"Trusted Root Certification Authorities\" → OK\n6. Complete the wizard\n\n### Using Server Certificates\n\n**Web Servers (Apache):**\n```apache\nSSLCertificateFile /path/to/cert.crt\nSSLCertificateKeyFile /path/to/cert.key\nSSLCertificateChainFile /path/to/root-ca.crt\n```\n\n**Web Servers (Nginx):**\n```nginx\nssl_certificate /path/to/cert.pem;  # Combined certificate\nssl_certificate_key /path/to/cert.key;\n```\n\n**Docker Containers:**\n```bash\n# Mount certificates as volumes\ndocker run -v /path/to/certs:/certs myapp\n```\n\n## Backup and Restore\n\n### Creating Encrypted Backups\n```bash\n# Create encrypted backup\npython sslmanager.py --backup /path/to/backup.enc\n\n# Backup specific service only\npython sslmanager.py --backup /path/to/backup.enc --service proxy\n```\n\n### Restoring from Backups\n```bash\n# Restore from encrypted backup\npython sslmanager.py --restore /path/to/backup.enc\n\n# Handle conflicts during restore\n# Options: skip, replace, or abort\n```\n\nThe backup includes:\n- All service certificates and keys\n- Service configurations\n- CA certificate and key\n- Certificate revocation list\n\n**Note:** Archived CA certificates in the `archive/` directory are not included in backups by default. Archive directories are kept locally for CA renewal history.\n\n## Migration from Old Structure\n\nIf you have an existing manual certificate structure with `.ext` files, use the migration script:\n\n```bash\n# Migrate old structure to new format\npython migrate.py\n```\n\nThe migration script will:\n- ✅ **Scan** for old structure: `\u003cservice\u003e/\u003cyear\u003e/cert.(crt|key|ext|csr)`\n- ✅ **Extract domains** from `.ext` files (SAN entries)\n- ✅ **Create config.json** for each service with extracted domains\n- ✅ **Generate .pem files** (certificate + CA chain)\n- ✅ **Secure private keys** with 600 permissions\n- ✅ **Preserve all existing files** (no data loss)\n\n**Before migration:**\n```\nproxy/\n├── 2024/\n│   ├── cert.crt\n│   ├── cert.key\n│   ├── cert.ext    # Contains: DNS:proxy.lan,DNS:*.proxy.lan\n│   └── cert.csr\n└── 2025/\n    ├── cert.crt\n    ├── cert.key\n    ├── cert.ext\n    └── cert.csr\n```\n\n**After migration:**\n```\nproxy/\n├── config.json     # NEW: Contains extracted domains and settings\n├── 2024/\n│   ├── cert.crt\n│   ├── cert.key\n│   ├── cert.pem    # NEW: Combined certificate chain\n│   ├── cert.ext    # PRESERVED\n│   └── cert.csr    # PRESERVED\n└── 2025/\n    ├── cert.crt\n    ├── cert.key\n    ├── cert.pem    # NEW: Combined certificate chain\n    ├── cert.ext    # PRESERVED\n    └── cert.csr    # PRESERVED\n```\n\n## Requirements\n\n- Python 3.6+\n- OpenSSL\n- Linux, macOS, or Windows with OpenSSL available\n- `cryptography` library for backup encryption (install with `pip install cryptography`)\n\n## Configuration Files\n\n### Global Configuration (`config.json`)\nContains default values for CA creation and certificate generation, including:\n- CA and certificate defaults\n- **Local TLDs**: Array of TLDs used for domain suggestions (e.g., `[\"lan\", \"local\", \"fkn\", \"internal\"]`)\n- Organizational information\n\n### Service Configuration (`\u003cservice\u003e/config.json`)\nStores service-specific settings including:\n- CA configuration used for this service\n- Certificate defaults\n- Domain list for easy regeneration\n\n## License\n\nMIT License - see LICENSE file for details.\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Commit your changes\n4. Push to the branch  \n5. Create a Pull Request\n\n## Support\n\nFor issues and questions, please use the GitHub issue tracker.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriedjof%2Fsslmanager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffriedjof%2Fsslmanager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriedjof%2Fsslmanager/lists"}