Mutual TLS certificate management

certies

A small CLI for managing a local certificate authority for mutual TLS client authentication. Issue, revoke, sync, and inspect client certificates with an OpenSSL-style store layout.

Install View on GitHub

$ certies init --name "Team Client CA"
$ certies new alice laptop
$ certies revoke alice laptop
$ certies sync user@example.com

$ certies status
Store: ~/.certies

Certificate Authority
  Subject:     Team Client CA
  Key type:    ECDSA P-256
  Created:     2024-01-15
  Expires:     2034-01-12 (2780 days)
  Status:      valid

CRL
  Last renewed: 2026-05-28
  Next update:  2026-06-27 (24 days)
  Status:       valid

Client certificates (4 total, 1 revoked):

  Client               Device               Serial   Key      Created      Expires      Status
  -----------------------------------------------------------------------------------------------
  alice                laptop               #1       ECDSA    2025-03-10   2027-03-10   valid (280d left)
  alice                phone                #2       ECDSA    2025-09-01   2026-09-01   valid (90d left)
  bob                  workstation          #3       ECDSA    2025-12-01   2026-12-01   valid (181d left)
  carol                laptop               #4       ECDSA    2024-11-05   2025-11-05   REVOKED (2025-04-08)

What it manages

certies keeps the CA, client material, revocation database, and server-facing artifacts together.

Local CA

Create and maintain a private certificate authority for client authentication.

Client certs

Issue per-user and per-device keys, certificates, and PKCS#12 bundles.

Revocation

Track revoked certificates in an OpenSSL-style index and regenerate signed CRLs.

Sync

Compare and deploy ca.crt and crl.pem to local or SSH targets.

Designed for small mTLS deployments

Servers trust the CA certificate and check the current CRL. Clients receive a PKCS#12 bundle containing their private key, client certificate, and CA chain.

~/.certies/
  serial
  crlnumber
  index.txt
  ca/
    ca.key
    ca.crt
  crl/
    crl.pem
  clients/
    alice/
      laptop/
        laptop.key
        laptop.crt
        laptop.p12

Core commands

A compact command set for the certificate lifecycle.

certies initCreate a new certificate authority.

certies new alice laptopIssue a client certificate and bundle.

certies revoke alice laptopRevoke a certificate and update the CRL.

certies renew-crlRefresh CRL validity without changing revocations.

certies statusInspect CA, CRL, and client certificate health.

certies sync user@example.comDeploy or compare server-facing artifacts.

Documentation

Background material for using certies in a mutual TLS deployment.

SSL certificate concepts

What each file in the store does and how servers use CA certificates, client certs, and CRLs.

TLS handshake details

A deeper explanation of certificate signing, verification, ECDSA math, and mTLS handshakes.

Install from source

cargo install --path .

Requires Rust and system OpenSSL headers.