{"id":19929076,"url":"https://github.com/thescriptguy/certificateauthenticationgenerator","last_synced_at":"2025-08-29T14:41:19.430Z","repository":{"id":134310187,"uuid":"605390058","full_name":"TheScriptGuy/certificateAuthenticationGenerator","owner":"TheScriptGuy","description":"Create a Root CA and endpoint client certificate.","archived":false,"fork":false,"pushed_at":"2024-01-04T05:24:33.000Z","size":96,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-12T01:13:24.326Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheScriptGuy.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-23T03:37:30.000Z","updated_at":"2023-04-11T16:14:15.000Z","dependencies_parsed_at":"2024-01-03T21:24:49.006Z","dependency_job_id":"31cd4cae-56cf-4576-a606-a6ab6dff7ae2","html_url":"https://github.com/TheScriptGuy/certificateAuthenticationGenerator","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheScriptGuy%2FcertificateAuthenticationGenerator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheScriptGuy%2FcertificateAuthenticationGenerator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheScriptGuy%2FcertificateAuthenticationGenerator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheScriptGuy%2FcertificateAuthenticationGenerator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheScriptGuy","download_url":"https://codeload.github.com/TheScriptGuy/certificateAuthenticationGenerator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241355197,"owners_count":19949323,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T22:41:49.693Z","updated_at":"2025-03-01T11:18:50.751Z","avatar_url":"https://github.com/TheScriptGuy.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Generate Certificate files for testing purposes\nThis script is meant to help with the easy creation of a Root Certificate Authority as well as a certificate for client authentication.\n\nDefault values:\n* The company name is assumed to be `ACME Corp`.\n* The certificates are valid by default for `1 year`.\n* Root CA uses `2048` bits.\n* Root CA uses `sha512` digest.\n* Client Authentication Certificate uses `2048` bits.\n* Client Authentication Certificate uses `sha256` digest.\n\nIf `--ecc` argument is present, then the following applies:\n* Root CA uses `secp256r1` encryption\n* Root CA uses `sha512` digest\n* Client Authentication certificate uses `secp256r1` encryption\n* Client Authentication certificate uses `sha256` digest.\n\nYou can change the company name by using the `--companyName` argument.\n\n# Requirements\npyopenssl must be installed. To install:\n```bash\n$ python3 -m pip install cryptography==40.0.2 datetime pyasn1 idna\n```\n\n# Help\n```bash\n$ python3 generate-certificate.py -h\nusage: generate-certificate.py [-h] [--companyName COMPANYNAME] [--generateRootCA] [--generateClientCertificate] [--generatePKCS12]\n                               [--nonRestrictiveRootCA] [--ecc] [--dnsName] [--userPrincipalName] [--removeAllCertsAndKeys] [--windowsInstallation]\n\nCertificate Generation v1.10\n\noptions:\n  -h, --help            show this help message and exit\n  --companyName COMPANYNAME\n                        Entity/Company name for the certificates.\n  --generateRootCA      Generate the Root CA certificate and key. Uses --companyName in certificate creation.\n  --generateClientCertificate\n                        Generate the client certificate to use for client authentication.\n  --generatePKCS12      generate a PKCS12 type file.\n  --nonRestrictiveRootCA\n                        Remove Root CA extensions. USE WITH CAUTION.\n  --ecc                 Use Elliptic Curves in preference to RSA.\n  --dnsName             Add a Subject Alternative Name (SAN) for the DNS hostname.\n  --userPrincipalName   Add a Subject Alternative Name (SAN) for the Windows User Principal Name (UPN).\n  --removeAllCertsAndKeys\n                        Removes all files matching wildcard *.crt, *.key, *.p12. USE WITH CAUTION.\n  --windowsInstallation\n                        Displays the installation instructions for Windows\n```\n\n# IMPORTANT\nEverytime you run the `--generateRootCA` or `--generateClientCertificate` argument, it will `_overwrite_` existing files. \nThis can lead to a new Root CA being generated that doesn't match the Client Certificate (if that happened to be run beforehand)\n\n## Generate Root CA\n```bash\n$ python3 generate-certificate.py --companyName \"Test123,. Inc\" --generateRootCA \n----------------------------------------------------------------------------\nDISCLAIMER:\nThese files are not meant for production environments. Use at your own risk.\n----------------------------------------------------------------------------\nRoot CA certificate filename - root-ca-test-inc.crt\nRoot CA private key filename - root-ca-test-inc.key\n```\n\n## Generate Root CA with PKCS12 file\nThis will create a p12 file with a randomly generated passphrase (outputted to stdout).\n```bash\n$ python3 generate-certificate.py --companyName \"Test123, Inc\" --generateRootCA --generatePKCS12\n----------------------------------------------------------------------------\nDISCLAIMER:\nThese files are not meant for production environments. Use at your own risk.\n----------------------------------------------------------------------------\nRoot CA certificate filename - root-ca-test-inc.crt\nRoot CA private key filename - root-ca-test-inc.key\nPassword for root-ca-test-inc.p12 is thisisnotreallyapassword\n```\n\nIn order to run the below commands, you need to run the `--generateRootCA` argument first. If the Root CA files haven't been generated, an error like this will appear:\n```bash\n$ python3 generate-certificate.py --companyName \"Test123, Inc\" --generateClientCertificate\nRoot CA public key and private key do not exist.\nExiting.\n```\n\n## Generate Client Certificate\n```bash\n$ python3 generate-certificate.py --companyName \"Test123, Inc\" --generateClientCertificate\n----------------------------------------------------------------------------\nDISCLAIMER:\nThese files are not meant for production environments. Use at your own risk.\n----------------------------------------------------------------------------\nClient certificate private key filename - client-cert-test-inc.key\nClient certificate public key filename - client-cert-test-inc.crt\n```\n\n## Generate Client Certificate with PKCS12 file\n```bash\n$ python3 generate-certificate.py --companyName \"Test123, Inc\" --generateClientCertificate --generatePKCS12\n----------------------------------------------------------------------------\nDISCLAIMER:\nThese files are not meant for production environments. Use at your own risk.\n----------------------------------------------------------------------------\nClient certificate private key filename - client-cert-test-inc.key\nClient certificate public key filename - client-cert-test-inc.crt\nPassword for client-cert-test-inc.p12 is thisisnotreallyapassword\n```\n\n## Generate Client Certificate with PKCS12 file and add Windows Installation Instructions\n```bash\n$ python3 generate-certificate.py --companyName \"Test123, Inc\" --generateClientCertificate --generatePKCS12 --windowsInstallation\n----------------------------------------------------------------------------\nDISCLAIMER:\nThese files are not meant for production environments. Use at your own risk.\n----------------------------------------------------------------------------\nClient certificate private key filename - client-cert-test-inc.key\nClient certificate public key filename - client-cert-test-inc.crt\nPassword for client-cert-test-inc.p12 is thisisnotreallyapassword\n----------------------------------------------------------------------------\nWindows Installation (from the directory where files are stored):\nTo install Client Authentication certificate into User certificate store (in both cases, click yes to install Root CA as well):\nC:\\\u003ecertutil -importpfx -f -user -p thisisnotreallyapassword client-cert-test-inc.p12 NoExport\n\nTo install certificate into Local Machine certificate store:\nC:\\\u003ecertutil -importpfx -f -Enterprise -p thisisnotreallyapassword client-cert-test-inc.p12 NoExport\n```\n\n## Generate Client Certificate with DNSName or userPrincipalName in Subject Alternative Name (SAN)\nMake sure to edit the field first (under `def certificateMetaData`):\n```python\ncertificateInfo['ClientAuthentication']['oid']['subjectAlternativeName']['DNSName']\n```\n```bash\n$ python3 generate-certificate.py --companyName \"Test123 Inc\" --generateClientCertificate --generatePKCS12 --dnsName\n```\nOR\n\nMake sure to edit the field first (under `def certificateMetaData`):\n```python\ncertificateInfo['ClientAuthentication']['oid']['subjectAlternativeName']['userPrincipalName']\n```\n```bash\n$ python3 generate-certificate.py --companyName \"Test123 Inc\" --generateClientCertificate --generatePKCS12 --userPrincipalName\n```\n\n## Remove files generated by script\nTo remove all files generated by the script\n```bash\n$ python generate-certificate.py --removeAllCertsAndKeys\n```\n\n\n# :closed_lock_with_key: :closed_lock_with_key: :closed_lock_with_key: Advanced :closed_lock_with_key: :closed_lock_with_key: :closed_lock_with_key:\nWARNING - editing this below is at your own risk. There is no error checking by changing these values and the script will throw back an error if they're not properly defined.\n\nMy recommendation is to leave the following fields:\n## Under `RootCertificateAuthority.json`\n* `CN`\n* `companyName`\n* `extensions`\n\n## Under `ClientCertificate.json`\n* `CN`\n* `extensions`\n\nIf you'd like to edit how the certificates are generated, there are 2 files that can be edited.\n\n## Sample `RootCertificateAuthority.json`\n```json\n{\n    \"oid\": {\n        \"CN\": null,\n        \"companyName\": null,\n        \"organizationalUnit\": \"Client Authentication CA\",\n        \"locality\": null,\n        \"stateOrProvince\": null,\n        \"organizationName\": null,\n        \"countryName\": null,\n        \"domainComponent\": [null]\n    },\n    \"rsa\": {\n        \"rsa_bits\": 2048,\n        \"digest\": \"sha512\"\n    },\n    \"ecc\": {\n        \"curve\": \"secp256r1\",\n        \"digest\": \"sha512\"\n    },\n    \"extensions\": {\n        \"keyUsage\": [\"digitalSignature\", \"nonRepudiation\", \"keyCertSign\"],\n        \"extendedKeyUsage\": [\"clientAuth\"]\n    }\n}\n```\n\n## Sample `ClientAuthentication.json`\n```json\n{\n    \"oid\": {\n        \"CN\": \"Endpoint Client Authentication\",\n        \"organizationalUnit\": \"Client Authentication\",\n        \"locality\": null,\n        \"stateOrProvince\": null,\n        \"organizationName\": null,\n        \"countryName\": null,\n        \"domainComponent\": [null],\n        \"subjectAlternativeName\": {\n            \"DNSName\": null,\n            \"userPrincipalName\": null\n        }\n    },\n    \"rsa\": {\n        \"rsa_bits\": 2048,\n        \"digest\": \"sha256\"\n    },\n    \"ecc\": {\n        \"curve\": \"secp256r1\",\n        \"digest\": \"sha256\"\n    },\n    \"extensions\": {\n        \"keyUsage\": [\"digitalSignature\", \"nonRepudiation\"],\n        \"extendedKeyUsage\": [\"clientAuth\"]\n    }\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthescriptguy%2Fcertificateauthenticationgenerator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthescriptguy%2Fcertificateauthenticationgenerator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthescriptguy%2Fcertificateauthenticationgenerator/lists"}