A user-friendly CLI tool for certificate management. Like HTTPie, but for certificates.
certwiz makes working with X.509 certificates as simple as possible. No more wrestling with OpenSSL's arcane syntax or trying to remember complex command flags. Just simple, intuitive commands that do what you expect.
- π Inspect certificates from files or live websites
- π Generate self-signed certificates with custom SANs
- π Create CSRs (Certificate Signing Requests) for CA signing
- ποΈ Create CAs to sign certificates and build trust chains
- βοΈ Sign certificates using your own Certificate Authority
- π Convert between PEM and DER formats effortlessly
- β Verify certificates against hostnames
- π View certificate chains to understand trust paths
- π Detailed extension analysis with human-readable output
- π¨ Beautiful terminal output with colors and formatting
- π JSON output for scripting and automation
- π‘ Smart defaults that just work
# Inspect a website's certificate
cert inspect google.com
# Generate a self-signed certificate
cert generate --cn myapp.local --san "*.myapp.local"
# Create a Certificate Signing Request
cert csr --cn server.example.com --org "My Company"
# Create a Certificate Authority
cert ca --cn "Company Root CA" --org "My Company"
# Sign a CSR with your CA
cert sign --csr server.csr --ca ca.crt --ca-key ca.key
# Convert certificate format
cert convert cert.pem cert.der --format der
# View the full certificate chain
cert inspect github.com --chain
# Inspect through a proxy or tunnel
cert inspect api.example.com --connect localhost:8080
cert inspect internal.site --connect tunnel.local --port 443
# Force specific certificate type (for dual-cert servers)
cert inspect cloudflare.com --sig-alg ecdsa # Get ECDSA certificate
cert inspect cloudflare.com --sig-alg rsa # Get RSA certificateInstall the latest version with our installer script:
curl -sSL https://raw.githubusercontent.com/trahma/certwiz/main/install.sh | bashOr install a specific version:
curl -sSL https://raw.githubusercontent.com/trahma/certwiz/main/install.sh | bash -s -- --version v0.1.0To update cert to the latest version:
cert updateThe installer will automatically detect your existing installation and upgrade it in place.
Download pre-built binaries from the releases page.
# Apple Silicon (M1/M2/M3)
curl -L https://github.com/trahma/certwiz/releases/latest/download/cert-darwin-arm64.tar.gz | tar xz
sudo mv cert-darwin-arm64 /usr/local/bin/cert
# Intel
curl -L https://github.com/trahma/certwiz/releases/latest/download/cert-darwin-amd64.tar.gz | tar xz
sudo mv cert-darwin-amd64 /usr/local/bin/cert# 64-bit
curl -L https://github.com/trahma/certwiz/releases/latest/download/cert-linux-amd64.tar.gz | tar xz
sudo mv cert-linux-amd64 /usr/local/bin/certgo install github.com/trahma/certwiz@latest
# or
git clone https://github.com/trahma/certwiz
cd certwiz
make buildDownload pre-built binaries from the releases page.
The binary will be named cert for ease of use.
# Inspecting a certificate - hard to remember!
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -text -noout
# Generating a certificate with SANs - so complex!
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=example.com" -extensions v3_req -config <(echo "[req]"; echo "distinguished_name=req_distinguished_name"; echo "[v3_req]"; echo "subjectAltName=DNS:example.com,DNS:*.example.com")# Inspecting a certificate
cert inspect example.com
# Generating a certificate with SANs
cert generate --cn example.com --san example.com --san "*.example.com"All commands support JSON output for easy scripting and automation:
# Inspect with JSON output
cert inspect google.com --json | jq '.subject.common_name'
# Generate and get file paths
cert generate --cn test.local --json | jq '.files[]'
# Verify and check status
cert verify cert.pem --json | jq '.is_valid'
# Parse certificate expiry
cert inspect cert.pem --json | jq '.days_until_expiry'- View certificates from files (PEM/DER) or live websites
- Automatic format detection
- Shows all SANs with intelligent wrapping
- Highlights expiration status with color coding
- Displays full certificate chain with
--chain - Shows detailed extensions with
--full - Connect through proxies/tunnels with
--connectflag - Force ECDSA or RSA certificate selection with
--sig-algflag
- Create self-signed certificates instantly
- Support for multiple SANs (DNS names and IP addresses)
- Customizable validity period and key size
- Generates both certificate and private key files
- Check certificate validity dates
- Verify hostname matches
- Validate against CA certificates
- Clear pass/fail status indicators
- Color-coded status indicators (π’ valid, π‘ expiring soon, π΄ expired)
- Clean, bordered tables for certificate information
- Smart terminal width detection and text wrapping
- Icons and symbols for better readability
We welcome contributions! Please see our Contributing Guide for details.
MIT License - see LICENSE file for details.
- Inspired by HTTPie for its user-friendly approach
- Built with Cobra for CLI management
- Styled with Lipgloss for beautiful output
Made with β€οΈ by the certwiz team