SysTeam.pl / Products / certops

certops

pki and tls operations cli

PKI from one terminal

Check CA providers, service certificates, local trust stores, and remote Linux trust stores. Plan the desired state, detect drift, apply explicit trust-store changes, and verify the result.

What it looks like

Run a live plan from certops.yaml before touching any trust store. Mutating commands require explicit --yes.

certops plan
$ certops plan -f certops.yaml --live

scope      target        status     change
─────────────────────────────────────────────────────────
ca         lan-step      ok         Smallstep CA configured
ca         vault-prod    ok         Vault PKI configured
inventory  runners      ok         1 host configured
trust      runners      manual     trust policy configured; apply not run
service    internal-api  ok         issuer=Smallstep expires_in=72d

summary: total=5 ok=4 warn=0 critical=0 manual=1

$ certops drift -f certops.yaml --fail-on warn
drift: no blocking drift found

Commands

Built around config, checks, and explicit apply steps. Inspection commands report state; trust-store changes require --yes.

plan

Validate certops.yaml, CA providers, inventory, trust policies, and services. With --live it fetches CA roots and runs TLS checks.

drift

Compare configured PKI state with live CA and service checks. Use --fail-on warn when CI should block on drift.

CA providers

Inspect Smallstep, Vault PKI, CFSSL-compatible APIs, and generic PEM bundles or URLs. Fingerprint pinning is supported for bootstrap cases.

trust

Local trust-store plan, verify, and install for CA bundles. install modifies the local trust store and requires --yes.

fleet trust

Remote Linux trust-store plan, apply, verify, and remove over SSH. apply and remove require --yes.

check / scan

Endpoint checks for expiry, SAN match, chain trust, TLS versions, ALPN, OCSP stapling, redirects, and HSTS. scan handles target lists.

verify

YAML-driven endpoint verification for scripts and CI. Supports JSON, YAML-like output, Prometheus text, HTML reports, and watch mode.

watch mode

check and verify can run until the target becomes OK. Useful after CA rotation, certificate deploys, and trust-store changes.

Quick install

Linux, macOS, BSD. Single Go binary. Remote fleet trust currently targets Linux hosts over SSH.

$ git clone https://github.com/pawel-cygal/certops.git
$ cd certops
$ go build -o certops .
$ sudo install -m 0755 certops /usr/local/bin/certops

$ certops init                         # starter config
$ certops plan -f certops.yaml --live   # inspect desired state
$ certops drift -f certops.yaml --fail-on warn
$ certops --help

Full README on GitHub →

Put PKI state in code

Use certops.yaml to describe CAs, trust targets, and service certificates. Run plan and drift before changes, then apply trust-store updates explicitly.