CertNanny is a client-side program that allows fully automatic renewal of certificates using the SCEP protocol.
The basic idea is to have a number of local keystores that are monitored for expiring certificates. If a certificate is about to expire, the program automatically creates a new certificate request with the existing certificate data, enrolls the request with the configured CA and polls the CA for the issued certificate. Once the certificate is ready, a new keystore with the new certificate is composed and replaces the old keystore.
Confused? Watch the movie!
Clients running CertNanny will need Perl 5.8 or higher installed.
In addition an OpenSSL executable and the sscep tool program is required on the client.
For using CertNanny with Machine Keystores under Windows a patched OpenSSL including a CAPI patch is required. The official Windows package of Certnanny will include a patched version of OpenSSL.
On the CA side a SCEP server is required. CertNanny has been extensively tested with the SCEP server of OpenXPKI but may also work with others.
If the SCEP server supports automatic approval (which is done by signing the certificate request with the existing old certificate on the client side, see http://tools.ietf.org/html/draft-nourse-scep-23#section-2.2) the CertNanny agent can perform in-place keystore replacement without operator interaction. Using hook functions CertNanny can also reload/restart applications after successful renewal.
CertNanny is designed to run on a large number of platforms. In addition client applications using certificates use lots of different keystore formats, most of which are already supported by the software:
| Keystore/OS | Unix | Windows |
|---|---|---|
| OpenSSL (PEM/DER) | yes | yes |
| PKCS #8 (PEM/DER) | yes | yes |
| PKCS #12 | yes | yes |
| Java Keystore (JKS) | yes | yes |
| IBM GSKit 7 Keystore (CMS) | yes | yes |
| Windows Certificate Store | n/a | yes |
Supported/tested Unix variants: Linux, AIX, Solaris x86, Solaris Sparc, Darwin (Mac OS X).
You can download the latest stable source code directly from GitHub.
Beginning with version 1.1 we will publish official CertNanny packages for the major operating systems (SuSE SLES, AIX 7, Solaris x86/Sparc 10).
CertNanny development is hosted on: https://github.com/certnanny/CertNanny
You will also find the issue tracker there.
Official milestones/releases are tracked on GitHub.
Release date: 2014-07-09
Bugfixes release:
- Fix for MQ default certificate parsing error
Release date: 2014-05-11
Bugfixes release:
- Solaris and AIX packing improvements
- MQ keystore support: fix for detecting labels on Windows systems
Release date: 2014-04-16
Bugfix release:
- fix for getNextCA ctime issue
- fix for IIS configuration issue
Release date: 2014-03-24
Bugfix release:
- fix for GSKKit8 under windows
- Windows certreq inf file update
Release date: 2014-02-28
Key features:
- improved configuration features
- support of different key sizes in keystores
- Root CA certificates now stored in directory
- fully automatic Root CA update feature via SCEP GetNextCA
- "Root Only" Keystores (for trust anchor configuration)
- improved Windows keystore support (Machine Keystore)
- updated GSKit 7.1 support
- meta data submission in SCEP request
- additional hook functions (expired, invocation)
- improved logging
- packaging for all major platforms
Note: For administrative reasons there will be no 1.0 release.
Release date: 2007-06-19
This version introduces PKCS#12 support and adds MQ/GSKit support for Windows platforms. When creating a new keystore the configured Root Certificates are now examined for their validity period. Expired (and if desired not-yet-valid) certificates are not imported into the new keystore. This behaviour is fully configurable per keystore.
Release date: 2006-08-09
Fixes problems in certificate chain generation that occur if multiple CA certificate hierarchies are returned by the SCEP server. CertNanny now calculates the correct certificate chain based on the newly created certificate.
Release date: 2006-06-12
Introduces Windows Certificate Store and Java Keystore support
Release date: 2006-02-10
Introduces PKCS#8 support, improved OpenSSL keystore handling. New platforms: Windows, Tandem/NonStop (OSS)
Release date: 2005-12-23
Initial public release of CertNanny
The version numbers for official releases shall be limited to two positions. This allows for local customization and repackaging sometimes needed for large-scale internal deployments without using up the available positions (AIX packages are effectively limited to three positions since the fourth is reserved for incremental updates).
Last update: 2015-05-11