CERTO

CERTO is a powerful, self-hosted, open-source SSL Certificate Management and Certificate Authority (CA) platform built with Python and Flask. In today's security-conscious landscape, managing SSL certificates efficiently and securely is critical for any organization. CERTO provides a lightweight, private Certificate Authority solution that puts complete control back in your hands. Whether you're managing certificates for internal teams, DevOps infrastructure, or enterprise deployments, CERTO offers enterprise-grade features without the complexity or cost of commercial solutions.

What is CERTO?

CERTO stands for Certificate Authority Management Tool. It's a self-hosted application that allows you to create, manage, and deploy SSL certificates within your infrastructure without relying on external Certificate Authorities. This is particularly valuable for:

• Internal Networks - Manage certificates for internal services without public CAs
• Air-Gapped Environments - Deploy in isolated networks with no internet requirement
• Development Teams - Issue test certificates quickly without per-certificate costs
• DevOps Infrastructure - Automate certificate management for containerized applications
• Security-First Organizations - Maintain complete control over certificate issuance and revocation

Key Features

Certificate Authority Management

Root CA Creation and Management

• Create and manage your own Certificate Authorities with industry-standard encryption
• RSA 2048-bit encryption with SHA-256 hashing for maximum security
• Full control over CA parameters (organization, country, validity period)
• Import/export CA certificates as ZIP archives for backup and distribution
• Reissue Root CAs while preserving existing keypairs and subject identity
• Safe deletion with confirmation prompts to prevent accidental removal

CA Hierarchy Support

• Create multiple Root CAs for different purposes (development, staging, production)
• Manage CA lifecycles independently
• Maintain separate trust chains for different environments
• Easy CA switching between projects

SSL Certificate Handling

Certificate Generation

• Issue SSL certificates signed by your managed Root CAs
• Full X.509 certificate implementation with proper extensions
• SubjectAlternativeName (SAN) support for multiple hostnames and IP addresses
• Customizable certificate validity periods
• CN (Common Name) and SANs for comprehensive domain coverage

Advanced Features

• Certificate reissuance preserving keypairs and SANs
• Automatic fullchain.pem generation for web servers
• Proper certificate chain handling (Root CA + Intermediate + Leaf)
• Certificate format support (PEM, DER, PKCS#12)
• Easy certificate distribution and installation

Security Implementation

Authentication & Authorization

• Session-based login system with secure cookie handling
• Bcrypt password hashing with salt for maximum security
• Role-based access control (RBAC) with admin and user roles
• User management with password reset capabilities
• Audit logging of certificate operations

Two-Factor Authentication (2FA)

• TOTP (Time-based One-Time Password) implementation
• QR code generation for easy authenticator app setup
• Backup codes for account recovery (eight single-use codes)
• Bcrypt hashing of backup codes for security
• Admin MFA reset capabilities for account recovery

Air-Gap Compatible

• No external CDN dependencies
• No cloud service requirements
• Completely self-contained deployment
• Perfect for classified or secure environments
• Offline certificate validation support

Infrastructure & Deployment

Database

• SQLite backend for simplicity and portability
• No external database server required
• Easy backup and migration
• Zero configuration database setup

Web Interface

• Intuitive, responsive UI for certificate management
• Real-time certificate status display
• One-click certificate generation
• Bulk operations support
• Search and filter capabilities

Production Ready

• Docker and Docker Compose support
• Gunicorn production-grade WSGI server
• Proper security headers and HTTPS support
• Load balancer compatible
• Scalable architecture

Installation Guide

Prerequisites

• Docker and Docker Compose (recommended)
• Or: Python 3.7+, pip, and system dependencies
• Minimum 512MB RAM
• 100MB disk space for typical deployments

Quick Start with Docker (Recommended)

Step 1: Clone the Repository

git clone https://github.com/KaushalBhatol/certo.git
cd certo

Step 2: Start with Docker Compose

docker-compose up -d

Step 3: Access the Application
Open your browser and navigate to:

https://localhost:8080

Default Credentials:

• Username: admin
• Password: certo

⚠️ IMPORTANT: Change these credentials immediately after first login!

Installation on Linux (Manual)

Step 1: Install System Dependencies

For Ubuntu/Debian:

sudo apt update
sudo apt install -y python3 python3-pip python3-venv git

For RHEL/CentOS:

sudo dnf install -y python3 python3-pip git

Step 2: Clone and Setup

git clone https://github.com/KaushalBhatol/certo.git
cd certo
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Step 3: Configure Environment

# Copy example configuration
cp .env.example .env

# Edit configuration
nano .env

# Set these important values:
# SECRET_KEY=generate-a-random-key-here
# FLASK_ENV=production
# DEBUG=False

Step 4: Initialize Database

python3 app.py --init-db

Step 5: Run Application

For development:

python3 app.py

For production (using Gunicorn):

gunicorn -w 4 -b 0.0.0.0:8080 app:app

Access the application at https://localhost:8080

Usage Guide

Creating Your First Certificate Authority

1. Login with your credentials
2. Navigate to Certificate Authorities section
3. Click Create New CA
4. Fill in the CA details:
   • Organization Name (e.g., "MyCompany Inc")
   • Organization Unit (e.g., "IT Department")
   • Country (e.g., "US")
   • State/Province (e.g., "California")
   • City (e.g., "San Francisco")
   • Common Name (e.g., "MyCompany Root CA")
   • Validity Period (e.g., 10 years)
5. Click Create CA
6. Your CA is now created and ready to issue certificates

Issuing SSL Certificates

1. Navigate to Issue Certificate
2. Select the Root CA to sign with
3. Enter certificate details:
   • Common Name (e.g., "example.com")
   • Subject Alternative Names (SANs):
     • Additional hostnames (e.g., "www.example.com", "api.example.com")
     • IP addresses (e.g., "192.168.1.1")
   • Validity Period (e.g., 1 year)
4. Click Generate Certificate
5. Download the certificate bundle:
   • certificate.pem - Your certificate
   • private.key - Private key (keep secure!)
   • fullchain.pem - Full certificate chain

Installing Certificates in Your Application

For Nginx:

server {
    listen 443 ssl;
    server_name example.com;
    
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/private.key;
    
    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
}

For Apache:

<VirtualHost *:443>
    ServerName example.com
    
    SSLEngine on
    SSLCertificateFile /path/to/certificate.pem
    SSLCertificateKeyFile /path/to/private.key
    SSLCertificateChainFile /path/to/fullchain.pem
</VirtualHost>

For Docker/Kubernetes:

# Create secret from certificate and key
kubectl create secret tls my-cert \
  --cert=/path/to/certificate.pem \
  --key=/path/to/private.key

# Reference in Ingress
spec:
  tls:
  - hosts:
    - example.com
    secretName: my-cert

Managing Users and Permissions

Add New User:

1. Navigate to Users (admin only)
2. Click Add User
3. Enter username and temporary password
4. Select role (admin or user)
5. User must change password on first login

Role Permissions:

• Admin: Full access to all features, CA management, user management
• User: Can issue certificates and manage their own certificates

Advanced Configuration

SSL/TLS Settings

Configure Custom SSL Parameters:

# app configuration
SSL_MIN_VERSION = 'TLSv1.2'
SSL_PROTOCOLS = 'TLSv1.2:TLSv1.3'
SSL_CIPHERS = 'HIGH:!aNULL:!MD5'

Database Configuration

Using PostgreSQL (Advanced):

# Install PostgreSQL driver
pip install psycopg2-binary

# Configure .env
DATABASE_URL=postgresql://user:password@localhost:5432/certo

Backup and Recovery

Backup CAs and Certificates:

# Automatic daily backups
docker-compose exec certo python3 backup.py

# Manual backup
tar -czf certo-backup-$(date +%Y%m%d).tar.gz /path/to/certo/data/

Restore from Backup:

tar -xzf certo-backup-20260412.tar.gz -C /path/to/certo/

Troubleshooting

Issue: Certificate Not Trusting in Browser

Solution:

• Export the Root CA certificate
• Install in browser's certificate store (Certificates → Import)
• Restart browser
• Visit application again

Issue: Certificate Chain Incomplete

Solution:

• Always use fullchain.pem (not just certificate.pem)
• Ensure proper certificate chain: Root CA → Intermediate (if applicable) → Leaf
• Verify certificate with: openssl verify -CAfile chain.pem cert.pem

Issue: Can't Access After Docker Restart

Solution:

# Check container status
docker-compose ps

# Check logs
docker-compose logs -f certo

# Restart containers
docker-compose restart

Issue: Forgot Admin Password

Solution:

# Reset admin password (development only)
docker-compose exec certo python3 reset_password.py admin

# For production, use backup codes or contact system administrator

Security Best Practices

1. Change Default Credentials - Immediately after installation
2. Enable 2FA - Protect admin accounts with TOTP
3. Regular Backups - Backup CAs and private keys weekly
4. Keep Updated - Monitor for security patches
5. Use Strong Passwords - Minimum 16 characters, mixed character types
6. Restrict Network Access - Only allow authorized IPs
7. Monitor Certificate Expiry - Set up expiration alerts
8. Rotate Certificates - Reissue annually or per security policy

Performance Considerations

• Scalability: Handles thousands of certificates efficiently
• Database Queries: Optimized for fast certificate lookups
• Concurrency: Supports multiple concurrent users
• Memory Usage: Lightweight footprint (< 100MB typical)
• Disk Space: ~1MB per 100 certificates

Production Deployment Checklist

• Change default admin credentials
• Enable 2FA for admin accounts
• Configure SSL/TLS for CERTO itself
• Set up automated backups
• Configure log rotation
• Set up monitoring and alerts
• Document CA procedures
• Train team members
• Create disaster recovery plan
• Set certificate expiration reminders

Conclusion

CERTO provides a complete, self-hosted solution for SSL certificate management. With its comprehensive features, strong security implementation, and ease of use, it's an excellent choice for organizations that need complete control over their certificate infrastructure. Whether you're managing a small internal network or a large enterprise deployment, CERTO scales to meet your needs.

Additional Resources

• GitHub Repository
• Official Documentation
• Issue Tracker
• SSL/TLS Best Practices
• X.509 Certificate Format

License: MIT (Open Source)
Maintained By: BHATOL Community