← back to /blog← powrót do /blog

→ czytaj po polsku

certops: plan, drift, and trust stores for PKI

With certificates, the expiry date is rarely the whole story. A certificate can still be valid but come from the wrong CA. A runner may miss the root in its trust store. One endpoint can serve the new chain while another one still has the old one. Internal PKI quickly becomes a pile of small exceptions nobody wants to check by hand.

So I built certops — a small Go CLI for working with CA providers, service certificates, and trust stores from one terminal.

What it does

  • certops init creates a starter certops.yaml.
  • certops plan -f certops.yaml --live checks config, CA providers, inventory, trust policy, and service certificates.
  • certops drift -f certops.yaml --fail-on warn compares the desired YAML state with live CA and service checks.
  • CA providers: Smallstep, Vault PKI, CFSSL-compatible APIs, and plain PEM bundles from a file or URL.
  • Local trust store: trust plan, trust verify, trust install --yes.
  • Fleet trust store: fleet trust plan/apply/verify/remove over SSH on Linux hosts.
  • Endpoint checks: expiry, SAN/hostname, chain trust, TLS versions, ALPN, OCSP stapling, redirects, and HSTS.
  • Scriptable output: text, JSON, YAML-like, Prometheus text, HTML reports, and watch mode where it makes sense.

Important: some commands only report state, but trust install, fleet trust apply, and fleet trust remove modify trust stores. They require an explicit --yes.

Why

I wanted one tool that answers boring but important questions:

  • does the CA from config actually respond and match the expected fingerprint?
  • do services use certificates from the right CA with enough time left?
  • does this runner or app host trust the root it should trust?
  • what would change if I add this root CA to the trust store?
  • is there still drift after the change?

You can check all of that with openssl, curl, update-ca-certificates, and SSH, but after the third environment you are mostly copying commands from shell history. certops.yaml lets you describe that state once and then run plan, drift, or verify from a terminal or CI.

Where it lives

— Paweł


← back to /blog← powrót do /blog

→ czytaj po polsku