Adaltas logoAdaltas
Keyser, single bash script for SSL certificates management

Keyser, single bash script for SSL certificates management

Eliott MORCILLO

By Eliott MORCILLO

Jun 25, 2025

Categories
Cyber Security
DevOps & SRE
Tags
Bash
Cyber Security
DevOps
Encryption
SSL/TLS
Do you like our work......we hire!

Never miss our publications about Open Source, big data and distributed systems, low frequency of one email every two months.

Keyser is a command-line utility designed to streamline the creation, management, and protection of SSL certificates with security and efficiency. Distributed as a single Bash script, it provides developers and system administrators with a lightweight yet powerful tool to generate certificate authorities, intermediate chains, and signed certificates — with optional GPG encryption for enhanced security.

Keyser stands out by being self-contained, documented, and testable. It eliminates the need for external tools or dependencies, and is particularly valuable in environments where transparency and minimalism matter.

It is written as a single bash script file and uses OpenSSL present on your system.

Why Keyser?

Certificate lifecycle management often involves complex tools or heavyweight PKI platforms. In contrast, Keyser is lightweight, scriptable, and easy to audit — making it suitable for development, testing, and even production when transparence and reproducibility are essential.

With keyser, some mechanisms are now straightforward:

  • Initialize a local certificate authority
  • Create intermediate and leaf certificates
  • Use GPG to encrypt certificate keys
  • Store, list, and inspect their certificates
  • Version control the vault directory when encrypted with GPG

Keyser is aimed at:

  • System administrators seeking a portable SSL tool
  • Developers needing quick and repeatable certificate generation
  • Security professionals preferring transparent, file-based solutions

A basic understanding of the OpenSSL and GPG command-line tools is recommended but not necessary.

Features

  • Generate self-signed root and intermediate certificates
  • Create and sign leaf certificates
  • Encrypt certificate keys using GPG
  • Store and organize certificates by domain in a vault directory
  • Inspect and export certificate metadata
  • Fully documented and covered by test cases

Installation

Keyser is a single Bash file and can be installed without external dependencies. It stores and manages certificates inside a vault directory.

The latest version is downloaded from the GitHub repository:

curl -L -o ~/.keyser/bin/keyser https://bit.ly/adaltas-keyser
chmod +x ~/.keyser/bin/keyser

The binary is added to the path.

echo 'PATH="$PATH:$HOME/.keyser/bin"' >> ~/.profile
source ~/.profile

Optionaly, the vault directory is set to a different location.

echo "export KEYSER_VAULT_DIR=~/.keyser/vault" >> ~/.profile

To enable optional GPG encryption for private keys, a passphrase can be exported.

echo "export KEYSER_GPG_PASSPHRASE=<change_this_secret>" >> ~/.profile

The variable is left unset or empty to disable encryption.

Keyser is now successfully installed.

# Help
keyser
# Current version
keyser version

Usage

The keyser command list all the available commands. Use keyser -h to print the help of an individual command.

This following section focuses on:

  • generating a certificate authority
  • generating a certificate for a intermediate domain
  • generating wildcard certificated for subdomains

For illustration purpose, the following names are used:

  • MyAuthority is the name for our certificate authority
  • example.test is the intermediate domain name
  • www.example.test is a subdomain of example.test

A new certificate vault is initialized. The init command creates the base directory structure.

keyser init

When using GPG encryption, certificates keys are encrypted and the vault directory may be version controlled with a tool like Git.

Certificate authority (CA)

keyser cacert \
  -c FR \
  -e no-reply@test \
  -l "Local test environment" \
  -o MyAuthority \
  test

The following flags are used:

  • -c: Country of the issuer
  • -e: Email of the issuer
  • -o: Organization of the issuer
  • -l: Location of the issuer
  • : FQDN of the registered certificate (test here)

Certificate authority information is obtained with the cacert_view command.

# Certificate content
keyser cacert_view test
# Subject information
keyser cacert_view -s test
# Text and fingerprint information
keyser cacert_view -t test

Intermediate domain certificate

An intermediate domain certificate is created.

keyser cert -i \
  -e no-reply@test \
  example.test

The cert_list command list all the registered certificate.

keyser cert_list

Wildcard certificate

This command creates a wildcard certificate for the subdomains of your domain. The -d option indicates the certificate Subject Alternative Name (SAN). It is required to enable certificate recognition by web browsers.

keyser cert \
  -d '*.example.test' \
  '*.example.test'

The certificates are exported to your location.

keyser cert_export -c \
  '*.example.test' ~/.certs

Files ca.crt, cert.pem,key.pem, and sign.cnf are created inside the exported directory.

ls ~/vault/test.example.\*
ca.crt  cert.pem key.pem  sign.cnf

Intermediate certificates help isolate your root CA. The main advantage of an intermediate certificate is to allow for hierarchical trust delegation, enabling organizations to manage and issue certificates for their services while maintaining a chain of trust to a root Certificate Authority (CA) without exposing the root CA’s private key. Refer to the documentation for more information.

Security model

Keyser supports optional GPG encryption for private key material. When the KEYSER_GPG_PASSPHRASE environment variable is set, all newly generated keys are encrypted at rest. This helps protect against unauthorized local access in multi-user or shared environments.

Contributing

Keyser is open source and hosted on GitHub. Contributions are welcome.

Before submitting a pull request, ensure your code is documented and covered by test cases.

Conclusion

Keyser offers a straightforward yet powerful approach to SSL certificate management. Its minimalistic design, combined with strong security features like optional GPG encryption, makes it a perfect solution for developers, system administrators, and security professionals. Whether you are working in development, testing, or production environments, Keyser ensures that managing SSL certificates is efficient, secure and understandable.

Share this article

Canada - Morocco - France

We are a team of Open Source enthusiasts doing consulting in Big Data, Cloud, DevOps, Data Engineering, Data Science…

We provide our customers with accurate insights on how to leverage technologies to convert their use cases to projects in production, how to reduce their costs and increase the time to market.

If you enjoy reading our publications and have an interest in what we do, contact us and we will be thrilled to cooperate with you.

Support Ukrain