certctl

A set of small, composable Python scripts for certificate lifecycle automation across:

• NetScaler Console (test / DR / prod consoles)
• NetScaler ADCs (via Console as the central management plane)
• External services (e.g., Imperva WAF)

This repo is intentionally modular: each script does one job well, so you can chain them in CI/CD, change-management workflows, or a future orchestrator.

Current status

Implemented (working end-to-end in lab):

• Create private key on NetScaler Console, download it, and generate a PEM CSR locally.

Planned / scaffolding:

• Polling/reporting of certificate expiry across Console + external vendors
• CA submission adapters (ADCS, Sectigo, etc.)
• Upload key/cert to Console and deployment to ADCs (with automatic CA chain linking)
• External WAF deployment (Imperva)

Directory layout

• certctl/ - library code used by scripts
• certctl/scripts/ - runnable scripts (single-purpose)

Included scripts

• certctl/scripts/nsconsole_certpoll.py - poll a NetScaler Console for stored certificate expiry data and write a table / CSV / JSON report.
• legacy/ - the original monolithic prototype script kept for reference

Quick start (lab)

Create a key on Console, download it, and create a CSR:

python3 -m certctl keycsr-console \
  --console https://192.168.113.2 \
  --user nsroot \
  --app-name example.com \
  --out-dir ./out \
  --insecure

Notes:

• --app-name is the CN base; with --rotate (default ON) we timestamp the filenames and never reuse keys.
• The CSR is created locally with OpenSSL because ns_ssl_csr is not supported in some Console deployments.

Security

• Secrets can be provided via env vars (recommended for CI):
  • CERTCTL_CONSOLE_PASSWORD
  • CERTCTL_KEY_PASSPHRASE
• On macOS, you can optionally store these in Keychain via prompts.
• Enterprise vault integration (AWS Secrets Manager / Azure Key Vault / etc.) will be added as a separate module.