mmolloy/nscertkeycreate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial

Browse Source
This commit is contained in:
deamonkai
2026-01-23 12:11:21 -06:00
commit fc94008530
16494 changed files with 2974672 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
README.md Normal file
View File

@@ -0,0 +1,57 @@
# certctl
A set of small, composable Python scripts for certificate lifecycle automation across:
- **NetScaler Console** (test / DR / prod consoles)
- **NetScaler ADCs** (via Console as the central management plane)
- **External services** (e.g., Imperva WAF)
This repo is intentionally modular: each script does **one job well**, so you can
chain them in CI/CD, change-management workflows, or a future orchestrator.
## Current status
Implemented (working end-to-end in lab):
- **Create private key on NetScaler Console**, download it, and generate a **PEM CSR locally**.
Planned / scaffolding:
- Polling/reporting of certificate expiry across Console + external vendors
- CA submission adapters (ADCS, Sectigo, etc.)
- Upload key/cert to Console and deployment to ADCs (with automatic CA chain linking)
- External WAF deployment (Imperva)
## Directory layout
- `certctl/` - library code used by scripts
- `certctl/scripts/` - runnable scripts (single-purpose)
### Included scripts
- `certctl/scripts/nsconsole_certpoll.py` - poll a NetScaler Console for stored certificate expiry data and write a table / CSV / JSON report.
- `legacy/` - the original monolithic prototype script kept for reference
## Quick start (lab)
Create a key on Console, download it, and create a CSR:
```bash
python3 -m certctl keycsr-console \
--console https://192.168.113.2 \
--user nsroot \
--app-name example.com \
--out-dir ./out \
--insecure
```
Notes:
- `--app-name` is the CN base; with `--rotate` (default ON) we timestamp the filenames and **never reuse keys**.
- The CSR is created locally with OpenSSL because `ns_ssl_csr` is not supported in some Console deployments.
## Security
- Secrets can be provided via env vars (recommended for CI):
- `CERTCTL_CONSOLE_PASSWORD`
- `CERTCTL_KEY_PASSPHRASE`
- On **macOS**, you can optionally store these in Keychain via prompts.
- Enterprise vault integration (AWS Secrets Manager / Azure Key Vault / etc.) will be added as a separate module.