Package Exports
- certpilot
- certpilot/lib/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (certpilot) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
certpilot
A powerful CLI tool for managing SSL certificates — generate CSRs and deploy certificates to remote servers via SSH.
Features
- Interactive and non-interactive CSR generation
- SSH-based certificate deployment with automatic backup
- Multi-platform support (macOS, Linux, Windows)
- Domain common name management
- Web server config validation and auto-reload (httpd, nginx, apache2)
- First-run setup wizard for organization details
Installation
npm install -g certpilotQuick Start
# Generate a new CSR (interactive)
certpilot new
# Deploy certificate to remote server (interactive)
certpilot deploy
# Manage domains
certpilot domain list
certpilot domain add example.com
# View configuration
certpilot config showUsage
certpilot new
Generate a new Certificate Signing Request (CSR) and private key.
# Interactive mode — select domain and enter email
certpilot new
# Non-interactive mode
certpilot new --cn example.com --email admin@example.com --no-interactive
# With custom organization details
certpilot new --cn example.com --email admin@example.com \
--country US --state California --locality "San Francisco" \
--org "My Corp" --ou "Engineering" --no-interactive
# Custom output directory and key size
certpilot new --cn example.com --email admin@example.com \
--output /path/to/certs --key-size 4096 --no-interactiveFlags:
| Flag | Short | Description |
|---|---|---|
--cn |
-c |
Common Name (CN) for the certificate |
--email |
-e |
Email address for the certificate |
--country |
Country code (C), read from config | |
--state |
State or Province (ST), read from config | |
--locality |
Locality or City (L), read from config | |
--org |
-o |
Organization (O), read from config |
--ou |
Organizational Unit (OU), read from config | |
--output |
-d |
Output directory (default: ~/.config/openssl/) |
--key-size |
RSA key size in bits (default: 2048) | |
--no-interactive |
Run in non-interactive mode |
Organization details (
--country,--state, etc.) are read from your config file by default. Runcertpilot config showto check current values, orcertpilot config resetto re-run the setup wizard.
certpilot deploy
Deploy SSL certificates to a remote server via SSH.
# Interactive mode — select host and domain from lists
certpilot deploy
# Specify host and domain
certpilot deploy --host myserver --domain example.com
# Deploy to nginx server
certpilot deploy --host myserver --domain example.com --server nginx
# Custom remote certificate paths
certpilot deploy --host myserver --domain example.com \
--ca-path /etc/nginx/ssl/ca.crt \
--crt-path /etc/nginx/ssl/cert.crt \
--key-path /etc/nginx/ssl/key.key
# Skip validation and reload
certpilot deploy --host myserver --domain example.com \
--skip-validate --skip-reloadFlags:
| Flag | Short | Description |
|---|---|---|
--host |
-H |
SSH host name from SSH config |
--domain |
-d |
Domain name for the certificate |
--server |
-s |
Web server type: httpd, nginx, apache2 (default: httpd) |
--ssh-config |
Path to SSH config file (default: ~/.ssh/config) |
|
--cert-dir |
Local certificate directory (default: ~/.config/openssl/<domain>/) |
|
--ca-path |
Custom remote CA file path | |
--crt-path |
Custom remote certificate file path | |
--key-path |
Custom remote key file path | |
--skip-validate |
Skip web server config validation | |
--skip-reload |
Skip service reload after deployment |
Deployment process:
- Read SSH config and connect to server
- Backup existing certificates (
.backup) - Upload CA, certificate, and key files
- Set file permissions (644 for certs, 600 for keys)
- Validate web server configuration
- Reload web server to apply new certificates
certpilot domain
Manage domain common names.
certpilot domain list # List all domains with file status
certpilot domain add example.com # Add a new domain
certpilot domain remove example.com # Remove a domain
certpilot domain search example # Search domains by keywordcertpilot config
Manage configuration settings.
certpilot config show # Show current configuration
certpilot config edit # Edit configuration interactively
certpilot config reset # Reset and re-run setup wizardCertificate File Format
Generated files are stored in ~/.config/openssl/<domain>/:
~/.config/openssl/example.com/
├── key.pem # Private key
├── example.com.csr # Certificate Signing Request
├── cert.pem # Certificate (placeholder, replace with CA-signed cert)
└── ca.pem # CA certificate (placeholder)Workflow:
- Run
certpilot newto generate CSR and private key - Submit the
.csrfile to your Certificate Authority (CA) - Place the signed certificate in
cert.pemand CA chain inca.pem - Run
certpilot deployto upload to your server
SSH Configuration
The deploy command reads hosts from ~/.ssh/config:
Host myserver
HostName 192.168.1.100
User root
Port 22
IdentityFile ~/.ssh/id_rsaSupported Web Servers
| Server | Config validation | Reload command |
|---|---|---|
| httpd (Apache) | httpd -t |
systemctl reload httpd |
| nginx | nginx -t |
systemctl reload nginx |
| apache2 | apache2ctl -t |
systemctl reload apache2 |
Migration from make-csr-cli v2.x
| Before (v2.x) | After (v3.0) |
|---|---|
make-csr generate |
certpilot new |
make-csr deploy |
certpilot deploy |
make-csr list |
certpilot domain list |
make-csr list --add "example.com" |
certpilot domain add example.com |
make-csr list --remove "example.com" |
certpilot domain remove example.com |
make-csr list --search "example" |
certpilot domain search example |
make-csr config --show |
certpilot config show |
make-csr config --edit |
certpilot config edit |
make-csr config --reset |
certpilot config reset |
Files: domain.key, domain.crt, domain.ca |
Files: key.pem, cert.pem, ca.pem |
Legacy file format is still supported for deployment with a migration warning.
License
MIT