SysTeam.pl / Products / certops
certopspki and tls operations cli
Check CA providers, service certificates, local trust stores, and remote Linux trust stores. Plan the desired state, detect drift, apply explicit trust-store changes, and verify the result.
Run a live plan from certops.yaml before touching any trust store. Mutating commands require explicit --yes.
$ certops plan -f certops.yaml --live scope target status change ───────────────────────────────────────────────────────── ca lan-step ok Smallstep CA configured ca vault-prod ok Vault PKI configured inventory runners ok 1 host configured trust runners manual trust policy configured; apply not run service internal-api ok issuer=Smallstep expires_in=72d summary: total=5 ok=4 warn=0 critical=0 manual=1 $ certops drift -f certops.yaml --fail-on warn drift: no blocking drift found
Built around config, checks, and explicit apply steps. Inspection commands report state; trust-store changes require --yes.
Validate certops.yaml, CA providers, inventory, trust policies, and services. With --live it fetches CA roots and runs TLS checks.
Compare configured PKI state with live CA and service checks. Use --fail-on warn when CI should block on drift.
Inspect Smallstep, Vault PKI, CFSSL-compatible APIs, and generic PEM bundles or URLs. Fingerprint pinning is supported for bootstrap cases.
Local trust-store plan, verify, and install for CA bundles. install modifies the local trust store and requires --yes.
Remote Linux trust-store plan, apply, verify, and remove over SSH. apply and remove require --yes.
Endpoint checks for expiry, SAN match, chain trust, TLS versions, ALPN, OCSP stapling, redirects, and HSTS. scan handles target lists.
YAML-driven endpoint verification for scripts and CI. Supports JSON, YAML-like output, Prometheus text, HTML reports, and watch mode.
check and verify can run until the target becomes OK. Useful after CA rotation, certificate deploys, and trust-store changes.
Linux, macOS, BSD. Single Go binary. Remote fleet trust currently targets Linux hosts over SSH.
$ git clone https://github.com/pawel-cygal/certops.git $ cd certops $ go build -o certops . $ sudo install -m 0755 certops /usr/local/bin/certops $ certops init # starter config $ certops plan -f certops.yaml --live # inspect desired state $ certops drift -f certops.yaml --fail-on warn $ certops --help
Use certops.yaml to describe CAs, trust targets, and service certificates. Run plan and drift before changes, then apply trust-store updates explicitly.