← back to /blog← powrót do /blog
certops: plan, drift, and trust stores for PKI
With certificates, the expiry date is rarely the whole story. A certificate can still be valid but come from the wrong CA. A runner may miss the root in its trust store. One endpoint can serve the new chain while another one still has the old one. Internal PKI quickly becomes a pile of small exceptions nobody wants to check by hand.
So I built certops — a small Go CLI for working with CA providers, service certificates, and trust stores from one terminal.
What it does
certops initcreates a startercertops.yaml.certops plan -f certops.yaml --livechecks config, CA providers, inventory, trust policy, and service certificates.certops drift -f certops.yaml --fail-on warncompares the desired YAML state with live CA and service checks.- CA providers: Smallstep, Vault PKI, CFSSL-compatible APIs, and plain PEM bundles from a file or URL.
- Local trust store:
trust plan,trust verify,trust install --yes. - Fleet trust store:
fleet trust plan/apply/verify/removeover SSH on Linux hosts. - Endpoint checks: expiry, SAN/hostname, chain trust, TLS versions, ALPN, OCSP stapling, redirects, and HSTS.
- Scriptable output: text, JSON, YAML-like, Prometheus text, HTML reports, and watch mode where it makes sense.
Important: some commands only report state, but trust install,
fleet trust apply, and fleet trust remove modify trust stores. They require
an explicit --yes.
Why
I wanted one tool that answers boring but important questions:
- does the CA from config actually respond and match the expected fingerprint?
- do services use certificates from the right CA with enough time left?
- does this runner or app host trust the root it should trust?
- what would change if I add this root CA to the trust store?
- is there still drift after the change?
You can check all of that with openssl, curl, update-ca-certificates, and SSH,
but after the third environment you are mostly copying commands from shell history.
certops.yaml lets you describe that state once and then run plan, drift, or
verify from a terminal or CI.
Where it lives
- Landing: systeam.pl/certops
- Source: github.com/pawel-cygal/certops — MIT
- Issues and pull requests welcome
— Paweł