Certipy: CA and Certificate Utility

0.2.2 · maintenance · verified Thu Apr 16

Certipy (version 0.2.2) is a Python utility designed to simplify the creation and signing of Certificate Authorities (CAs) and certificates on the fly. It wraps `pyOpenSSL` to manage certificate records, maintain signing hierarchies, and persist certificates to files. The project appears to be in a maintenance status, with its latest PyPI release in March 2025, though active development on GitHub seems to have slowed since early 2023.

Common errors

```
ModuleNotFoundError: No module named 'certipy'
```
cause The `certipy` package is not installed in your current Python environment.

fix Install the package using pip: `pip install certipy`.
```
ImportError: cannot import name 'Certipy' from 'certipy'
```
cause This error often indicates that you might be trying to import `Certipy` from a different (or conflicting) package installed under a similar name, or the package structure has changed. It's also possible if you have a local file named `certipy.py` shadowing the installed package.

fix Verify that you have installed the correct `certipy` library (`pip show certipy`) and that there isn't a local file or directory named `certipy.py` or `certipy/` in your project path that could be causing a name collision. The correct import is `from certipy import Certipy` for the LLNL project.

Warnings

gotcha There are two distinct Python libraries named 'certipy' or similar, causing potential confusion. This entry refers to `certipy` by LLNL (version 0.2.2), which is a general-purpose PKI utility. The other, `certipy-ad` (by ly4k, version 5.x.x), is an Active Directory Certificate Services (AD CS) enumeration and abuse tool. Ensure you install and use the correct library for your needs.
Fix: Always verify the GitHub repository and PyPI project page (github.com/LLNL/certipy for this library) before installation to confirm you have the intended project. For AD CS related tasks, you likely want `pip install certipy-ad` instead.
gotcha The `certipy` library internally relies on `pyOpenSSL` and `cryptography` for its core functionality. Compatibility issues with specific versions of these underlying libraries can sometimes occur. Always ensure your environment has compatible versions if you encounter obscure cryptographic errors.
Fix: Check the `setup.py` of the `certipy` GitHub repository for the exact `pyOpenSSL` and `cryptography` version requirements. As of version 0.2.2, it requires `pyOpenSSL>=23.0.0` and `cryptography>=39.0.0`.

Install

pip install certipy Install stable version

Imports

Certipy
```
from certipy import Certipy
```

Quickstart

This quickstart demonstrates how to initialize Certipy, create a root Certificate Authority, and then generate a signed certificate using that CA. It also includes cleanup for the temporary certificate store directory.

from certipy import Certipy
import os

# Create a temporary directory for the store
store_dir = os.path.join(os.getcwd(), 'cert_store')
os.makedirs(store_dir, exist_ok=True)

try:
    # Initialize Certipy with a store directory
    certipy_instance = Certipy(store_dir=store_dir)

    # Create a Certificate Authority (CA)
    ca_name = 'my_root_ca'
    certipy_instance.create_ca(ca_name)
    root_ca_record = certipy_instance.store.get_record(ca_name)
    print(f"Root CA '{ca_name}' created at: {root_ca_record.cert_path}")

    # Create and sign a key-certificate pair using the CA
    cert_name = 'my_server_cert'
    certipy_instance.create_signed_pair(cert_name, ca_name)
    server_cert_record = certipy_instance.store.get_record(cert_name)
    print(f"Signed certificate '{cert_name}' created at: {server_cert_record.cert_path}")

finally:
    # Clean up the temporary store directory
    if os.path.exists(store_dir):
        import shutil
        shutil.rmtree(store_dir)
        print(f"Cleaned up directory: {store_dir}")

view raw JSON →