A user-friendly CLI tool for certificate management. Like HTTPie, but for certificates.

certwiz makes working with X.509 certificates as simple as possible. No more wrestling with OpenSSL's arcane syntax or trying to remember complex command flags. Just simple, intuitive commands that do what you expect.

• 🔍 Inspect certificates from files or live websites
• 🔐 Generate self-signed certificates with custom SANs
• 🔄 Convert between PEM and DER formats effortlessly
• ✅ Verify certificates against hostnames
• 🔗 View certificate chains to understand trust paths
• 📊 Detailed extension analysis with human-readable output
• 🎨 Beautiful terminal output with colors and formatting
• 💡 Smart defaults that just work

# Inspect a website's certificate
cert inspect google.com

# Generate a self-signed certificate
cert generate --cn myapp.local --san "*.myapp.local"

# Convert certificate format
cert convert cert.pem cert.der --format der

# View the full certificate chain
cert inspect github.com --chain

Install the latest version with our installer script:

curl -sSL https://raw.githubusercontent.com/trahma/certwiz/main/install.sh | bash

Or install a specific version:

curl -sSL https://raw.githubusercontent.com/trahma/certwiz/main/install.sh | bash -s -- --version v0.1.0

Download pre-built binaries from the releases page.

# Apple Silicon (M1/M2/M3)
curl -L https://github.com/trahma/certwiz/releases/latest/download/cert-darwin-arm64.tar.gz | tar xz
sudo mv cert-darwin-arm64 /usr/local/bin/cert

# Intel
curl -L https://github.com/trahma/certwiz/releases/latest/download/cert-darwin-amd64.tar.gz | tar xz
sudo mv cert-darwin-amd64 /usr/local/bin/cert

# 64-bit
curl -L https://github.com/trahma/certwiz/releases/latest/download/cert-linux-amd64.tar.gz | tar xz
sudo mv cert-linux-amd64 /usr/local/bin/cert

go install github.com/trahma/certwiz@latest
# or
git clone https://github.com/trahma/certwiz
cd certwiz
make build

Download pre-built binaries from the releases page.

The binary will be named cert for ease of use.

• Installation Guide
• Usage Guide
• Command Reference
• Examples
• FAQ
• Contributing

# Inspecting a certificate - hard to remember!
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -text -noout

# Generating a certificate with SANs - so complex!
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=example.com" -extensions v3_req -config <(echo "[req]"; echo "distinguished_name=req_distinguished_name"; echo "[v3_req]"; echo "subjectAltName=DNS:example.com,DNS:*.example.com")

# Inspecting a certificate
cert inspect example.com

# Generating a certificate with SANs
cert generate --cn example.com --san example.com --san "*.example.com"

• View certificates from files (PEM/DER) or live websites
• Automatic format detection
• Shows all SANs with intelligent wrapping
• Highlights expiration status with color coding
• Displays full certificate chain with --chain
• Shows detailed extensions with --full

• Create self-signed certificates instantly
• Support for multiple SANs (DNS names and IP addresses)
• Customizable validity period and key size
• Generates both certificate and private key files

• Check certificate validity dates
• Verify hostname matches
• Validate against CA certificates
• Clear pass/fail status indicators

• Color-coded status indicators (🟢 valid, 🟡 expiring soon, 🔴 expired)
• Clean, bordered tables for certificate information
• Smart terminal width detection and text wrapping
• Icons and symbols for better readability

We welcome contributions! Please see our Contributing Guide for details.

MIT License - see LICENSE file for details.

• Inspired by HTTPie for its user-friendly approach
• Built with Cobra for CLI management
• Styled with Lipgloss for beautiful output

Made with ❤️ by the certwiz team