Skip to content

Lupaxa CertTool

lupaxa-certtool is a small, security-focused utility for generating self-signed X.509 certificates, certificate signing requests (CSRs), and private keys from either:

  • Command-line options (DN + config), or
  • One or more JSON configuration files.

It is designed for:

  • Local development
  • Labs, demos and PoCs
  • Quickly bootstrapping TLS for services like Apache, Nginx, or internal tools

Features

  • CLI and Python API
  • JSON-based configuration (single file or directory of files)
  • Optional output directory with per-certificate subdirectories
  • RSA key generation (configurable key size)
  • Self-signed certificates with configurable validity
  • SAN (Subject Alternative Name) support via JSON
  • Built-in --validate-config to check JSON configs
  • --inspect-cert to inspect existing PEM certificates
  • Fully tested with pytest, ruff, and mypy

Security Warning — Do Not Use These Certificates in Production

The certificates generated by this tool are self-signed and are intended only for development, testing, internal tooling, and non-security-critical environments. Self-signed certificates do not provide real trust, cannot be validated by clients, and offer no protection against man-in-the-middle attacks in production systems.

In secure deployments, always:

  • Use certificates issued by a trusted Certificate Authority (CA)
    (public CA for internet-facing systems, or a properly managed private CA within your organisation).
  • Protect private keys with strict file permissions and rotate them regularly.
  • Avoid re-using development certificates or keys on production hosts.
  • Validate certificate chains, expiration dates, key sizes, and signature algorithms as part of your CI/CD or deployment process.
  • Ensure that TLS configurations follow modern hardening guidance (e.g., current Mozilla or OWASP recommendations).

Self-signed certificates are useful for local testing, CI pipelines, and ephemeral environments — but they provide no assurance of identity or trustworthiness in real-world security scenarios.

For more information please refer to the Security Guidance documentation.